CVE-2024-2279 in Community Edition
Summary
by MITRE • 04/12/2024
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.7 to 16.8.6 all versions starting from 16.9 before 16.9.4, all versions starting from 16.10 before 16.10.2. Using the autocomplete for issues references feature a crafted payload may lead to a stored XSS, allowing attackers to perform arbitrary actions on behalf of victims.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/03/2026
The vulnerability identified as CVE-2024-2279 represents a critical stored cross-site scripting flaw within GitLab Community Edition and Enterprise Edition platforms. This security weakness affects multiple version ranges including 16.7 through 16.8.6, 16.9 versions prior to 16.9.4, and 16.10 versions before 16.10.2. The vulnerability specifically resides within the autocomplete functionality for issue references, which creates an attack vector that allows malicious actors to inject persistent malicious code into the system. The flaw stems from inadequate input sanitization and validation mechanisms that fail to properly escape or filter user-supplied data before storing and rendering it within the web interface.
The technical implementation of this vulnerability leverages the autocomplete feature designed to help users quickly reference existing issues within GitLab's issue tracking system. When users interact with this feature, the system processes user input to provide suggestions based on existing issue identifiers, titles, or descriptions. However, the flaw occurs during the data processing phase where crafted payloads containing malicious javascript code can bypass security controls and be stored within the GitLab database. These payloads remain dormant until accessed by other users who view the affected issue or related content, at which point the malicious code executes in the victim's browser context. This stored nature of the vulnerability makes it particularly dangerous as the attack can persist long after the initial injection and can affect multiple users over time.
The operational impact of CVE-2024-2279 extends beyond simple code execution as it enables attackers to perform arbitrary actions on behalf of legitimate users with the same privileges and access levels. This capability allows threat actors to manipulate project data, modify issue attributes, access confidential information, or potentially escalate privileges within the GitLab environment. The vulnerability can be exploited to create backdoors, steal session cookies, redirect users to malicious sites, or perform actions such as creating new issues, modifying existing ones, or accessing restricted project features. Given that GitLab serves as a central collaboration platform for software development teams, this vulnerability can compromise the integrity of entire development workflows and potentially expose sensitive source code repositories, project planning information, and development artifacts.
Security practitioners should implement immediate mitigations including upgrading to patched versions of GitLab where available, such as 16.9.4, 16.10.2, and later releases. Organizations should also consider implementing additional defensive measures including web application firewalls, content security policies, and enhanced input validation mechanisms. The vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws, and maps to ATT&CK technique T1566.001 related to phishing with malicious attachments or links. Organizations should conduct thorough security assessments of their GitLab installations and monitor for suspicious activity that might indicate exploitation attempts. Additionally, user education regarding the dangers of clicking on untrusted links or interacting with suspicious issue references remains crucial in preventing successful exploitation of this vulnerability.