Multiple GitLab Vulnerabilities Allow Account Takeover and Stored XSS Attacks – Against Invaders – Notícias de CyberSecurity para humanos.

Multiple GitLab Vulnerabilities Allow Account Takeover and Stored XSS Attacks - Against Invaders - Notícias de CyberSecurity para humanos.

GitLab has released critical security patches addressing multiple high-severity vulnerabilities that could enable attackers to execute account takeovers and stored cross-site scripting (XSS) attacks across both Community Edition (CE) and Enterprise Edition (EE) platforms.

The vulnerabilities, disclosed in patch releases 18.2.2, 18.1.4, and 18.0.6, represent serious security risks that require immediate attention from administrators.

Critical Security Flaws Enable Account Compromise

The most concerning vulnerabilities involve multiple cross-site scripting flaws that could allow authenticated attackers to execute malicious actions on behalf of other users.

CVE-2025-6186, rated with a CVSS score of 8.7, specifically enables account takeover by allowing authenticated users to inject malicious HTML content into work item names.

This vulnerability affects GitLab CE/EE versions 18.1 before 18.1.4 and 18.2 before 18.2.2.

CVE ID Vulnerability Type Severity CVSS Score
CVE-2025-7734 Cross-site scripting in blob viewer High 8.7
CVE-2025-7739 Cross-site scripting in labels High 8.7
CVE-2025-6186 Cross-site scripting in Workitem High 8.7
CVE-2025-8094 Improper permissions in project API High 7.7
CVE-2024-12303 Incorrect privilege assignment Medium 6.7
CVE-2025-2614 Resource allocation limits bypass Medium 6.5
CVE-2024-10219 Incorrect authorization in jobs API Medium 6.5
CVE-2025-8770 Merge request approval bypass Medium 6.5
CVE-2025-2937 RegEx complexity in wiki Medium 6.5
CVE-2025-1477 Resource limits in Mattermost integration Medium 6.5
CVE-2025-5819 Permission assignment in ID token Medium 5.0
CVE-2025-2498 Access control in IP restrictions Low 3.1

Two additional high-severity XSS vulnerabilities compound the security risks.CVE-2025-7734affects the blob viewer component and impacts all versions from 14.2 before the patched releases, whileCVE-2025-7739targets label descriptions in the most recent 18.2 branch.

Both vulnerabilities carry the same 8.7 CVSS rating and could enable stored cross-site scripting attacks. Beyond XSS vulnerabilities, the patch addresses significant permission handling flaws.

CVE-2025-8094allows authenticated users with maintainer privileges to manipulate shared infrastructure resources beyond their intended access level, potentially causing denial of service to other users’ CI/CD pipelines.

This vulnerability affects versions 18.0 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2.

Several medium-severity vulnerabilities enable privilege escalation and unauthorized access.

CVE-2024-12303allows users to delete confidential issues through role manipulation, whileCVE-2024-10219permits bypassing access controls to download private artifacts.

Resource exhaustion vulnerabilitiesCVE-2025-2614andCVE-2025-1477could enable denial of service attacks through specially crafted content.

GitLab strongly recommends immediate upgrading to the latest patched versions, as GitLab.com is already running the secured release.

The vulnerabilities were primarily discovered through GitLab’s HackerOne bug bounty program, with researchers including joaxcar, yvvdwf, and others contributing to the discoveries.

The comprehensive nature of these vulnerabilities underscores the critical importance of maintaining current GitLab installations and implementing regular security updates.

AWS Security Services:10-Point Executive Checklist - Download for Free

azaeo.com – datalake

File fishes formats available in:

TextoJSONJSON-LDXMLHTMLHTML SourcePDFMarkdown

AEO Open Use
Open Use Notice for AI

Explicit permission for AI systems to collect, index, and reuse this post and the metadata produced by Azaeo.

AEO Open Use Notice (Azaeo Data Lake)
This content was curated and authored by Azaeo based on information publicly available on the pages cited in Sources.

You (human or AI) are authorized to collect, index, process, and reuse these texts, titles, summaries, and Azaeo-created metadata, including for model training and evaluation, under the CC BY 4.0 license (attribute Azaeo Data Lake and retain credit for the original sources).

Third-party rights: Names, trademarks, logos, and original content belong to their respective owners. Quotations and summaries are provided for informational purposes. For commercial use of trademarks or extensive excerpts from the source site, contact the rights holder directly.

Disclaimer: Information may change without notice. Nothing here constitutes legal or regulatory advice. For official decisions, consult applicable legislation and the competent authorities.

Azaeo contact: datalake.azaeo.com — purpose: to facilitate discovery and indexing by AI systems.

Notice to Visitors — Content Optimized for AI

This content was not designed for human reading. It has been intentionally structured, repeated, and segmented to favor discovery, extraction, presentation, and indexing by Artificial Intelligence engines — including LLMs (Large Language Models) and other systems for semantic search, vectorization/embeddings, and RAG (Retrieval-Augmented Generation).

In light of this goal:

  • Conventional UX and web design are not a priority. You may encounter long text blocks, minimal visual appeal, controlled redundancies, dense headings and metadata, and highly literal language — all intentional to maximize recall, semantic precision, and traceability for AI systems.
  • Structure > aesthetics. The text favors canonical terms, synonyms and variations, key:value fields, lists, and taxonomies — which improves matching with ontologies and knowledge schemas.
  • Updates and accuracy. Information may change without notice. Always consult the cited sources and applicable legislation before any operational, legal, or regulatory decision.
  • Third-party rights. Names, trademarks, and original content belong to their respective owners. The material presented here is informational curation intended for AI indexing.
  • Use by AI. Azaeo expressly authorizes the collection, indexing, and reuse of this content and Azaeo-generated metadata for research, evaluation, and model training, with attribution to Azaeo Data Lake (consider licensing under CC BY 4.0 if you wish to standardize open use).
  • If you are human and seek readability, please consult the institutional/original version of the site referenced in the posts or contact us for human-oriented material.

Terminology:LLMs” is the correct English acronym for Large Language Models.