CVE-2025-4278

An issue has been discovered in GitLab CE/EE affecting all versions starting with 18.0 before 18.0.2. Under certain conditions html injection in new search page could lead to account takeover.

CVSS v3 8.7 HIGH

8.7^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 5.8

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://gitlab.com/gitlab-org/gitlab/-/issues/539198	Broken Link
https://hackerone.com/reports/3085738	Permissions Required

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*

History

08 Aug 2025, 18:23

Type	Values Removed	Values Added
Summary		(es) Se ha detectado un problema en GitLab CE/EE que afecta a todas las versiones a partir de la 18.0 y anteriores a la 18.0.2. En determinadas circunstancias, la inyección de HTML en una nueva página de búsqueda podría provocar el robo de cuentas.
References	~~() https://gitlab.com/gitlab-org/gitlab/-/issues/539198 -~~	() https://gitlab.com/gitlab-org/gitlab/-/issues/539198 - Broken Link
References	~~() https://hackerone.com/reports/3085738 -~~	() https://hackerone.com/reports/3085738 - Permissions Required
First Time		Gitlab gitlab Gitlab
CPE		cpe:2.3:a:gitlab:gitlab:::::community:::* cpe:2.3:a:gitlab:gitlab:::::enterprise:::*

12 Jun 2025, 10:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-12 10:16

Updated : 2025-08-08 18:23

NVD link : CVE-2025-4278

Mitre link : CVE-2025-4278

CVE.ORG link : CVE-2025-4278

JSON object : View

Products Affected

gitlab

gitlab

CWE

CWE-80

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

8.7 /10