A high-severity stored cross-site scripting vulnerability in GitLab EE allows authenticated attackers to execute arbitrary code, leading to potential account takeover.

This vulnerability involves improper input sanitization within the Analytics Dashboard, which allows an authenticated user with developer-role permissions to inject malicious client-side code. This code executes in the context of a targeted user, facilitating session hijacking and unauthorized actions.

The vulnerability carries a CVSS score of 8.7, reflecting a high risk to organizational security. Successful exploitation could lead to full account takeover, unauthorized access to sensitive repository data, and potential privilege escalation within the development environment, resulting in significant reputational and operational damage.

Immediate Action: Upgrade all instances of GitLab EE to version 19.0.2, 18.11.5, or 18.10.8 as appropriate for your current deployment branch.

Proactive Monitoring: Review application access logs and audit trails for anomalous activity originating from the Analytics Dashboard or unexpected script executions by user accounts.

Compensating Controls: Implement a strict Content Security Policy (CSP) and ensure a Web Application Firewall (WAF) is configured to detect and block common XSS injection patterns.

Public Exploit Available: false

Given the potential for complete account compromise and lateral movement within the development pipeline, administrators must prioritize this patch. Apply the vendor-provided security updates immediately to mitigate the risk of malicious code injection and unauthorized session access.