GitLab patched a high-severity vulnerability that unauthenticated attackers could exploit to take over user accounts in cross-site scripting (XSS) attacks.

The security flaw (tracked as CVE-2024-4835) is an XSS weakness in the VS code editor (Web IDE) that lets threat actors steal restricted information using maliciously crafted pages.

While they can exploit this vulnerability in attacks that don't require authentication, user interaction is still needed, increasing the attacks' complexity. 

"Today, we are releasing versions 17.0.1, 16.11.3, and 16.10.6 for GitLab Community Edition (CE) and Enterprise Edition (EE)," GitLab said.

"These versions contain important bug and security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately."

On Wednesday, the company also fixed six other medium-severity security flaws, including a Cross-Site Request Forgery (CSRF) via the Kubernetes Agent Server (CVE-2023-7045) and a denial-of-service bug that can let attackers disrupt the loading of GitLab web resources (CVE-2024-2874).

Older account hijacking bug actively exploited in attacks

GitLab is a popular target since it's known to host various types of sensitive data, including API keys and proprietary code.

Hence, hijacked GitLab accounts can have a significant impact, including supply chain attacks, if the attackers insert malicious code in CI/CD (Continuous Integration/Continuous Deployment) environments, compromising an organization's repositories.

As CISA warned earlier this month, threat actors are now actively exploiting another zero-click account hijacking vulnerability patched by GitLab in January.

Tracked as CVE-2023-7028, this maximum severity security flaw allows unauthenticated attackers to take over GitLab accounts via password resets.

Even though Shadowserver discovered over 5,300 vulnerable GitLab instances exposed online in January, less than half (2,084) are still reachable at the moment.

CISA added CVE-2023-7028 to its Known Exploited Vulnerabilities Catalog on May 1, ordering U.S. federal agencies to secure their systems within three weeks by May 22.