Original article published 5 days ago (April 11, 2024)
Preface: Considering the difference in security points of GitHub and GitLab, GitLab is more secure than GitHub, while GitHub is less secure because it does not have authorization compliance. Another difference between GitLab and GitHub is that GitLab is a cloud-native application while GitHub is used for sharing work in public. If you are on a private project, GitLab is a better fit since it provides more robust tools for private repositories and a higher level of control over user access.
Background: Diff Viewers, which can be found on models/diff_viewer/* are classes used to map metadata about each type of Diff File. It has information whether it’s a binary, which partial should be used to render it or which File extensions this class accounts for.
Vulnerability details: An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.9 before 16.9.4, all versions starting from 16.10 before 16.10.2. A payload may lead to a Stored XSS while using the diff viewer, allowing attackers to perform arbitrary actions on behalf of victims.
Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-3092