{"id":"CVE-2017-8778","details":"GitLab before 8.14.9, 8.15.x before 8.15.6, and 8.16.x before 8.16.5 has XSS via a SCRIPT element in an issue attachment or avatar that is an SVG document.","modified":"2026-04-10T04:01:18.088587Z","published":"2017-05-04T15:29:00.157Z","references":[{"type":"FIX","url":"https://about.gitlab.com/2017/02/15/gitlab-8-dot-16-dot-5-security-release/"},{"type":"EVIDENCE","url":"https://gitlab.com/gitlab-org/gitlab-ce/issues/27471"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://gitlab.com/gitlab-org/gitlab","events":[{"introduced":"0"},{"last_affected":"0c79c85b6bf7e98816255d673569727b083a90cd"},{"introduced":"0"},{"last_affected":"c1710afbd437c557741ff4c7fa185c6ffb89bf1b"},{"introduced":"0"},{"last_affected":"3e62eeed9a33f4885c53dbb73715f3b3ebda9434"},{"introduced":"0"},{"last_affected":"aa958616f4996672ef494e6a5222726093d17d87"},{"introduced":"0"},{"last_affected":"fe6cf5a54771739af7f10aa15c33d42b1a1ddbd7"},{"introduced":"0"},{"last_affected":"e33b0cbd0dfb10617a37ec5ce054fadb82c8631b"},{"introduced":"0"},{"last_affected":"f431be49b6940b3079b30cd65de56f03b4328e2e"},{"introduced":"0"},{"last_affected":"47550d092f0a6cbedc58752d1a220fe519b8ea01"},{"introduced":"0"},{"last_affected":"060f824bd7be41ffc05af04def53f20e3a870ca7"},{"introduced":"0"},{"last_affected":"a019470b8a6d2fa82a5eec3200663eca87c96baa"},{"introduced":"0"},{"last_affected":"bc4639359cf2880d6ee614a01e6b8049293d4366"},{"introduced":"0"},{"last_affected":"93daa28c0cff0fa8a523d29a9e1ea887cbe021d8"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"8.14.9"},{"introduced":"0"},{"last_affected":"8.15.0"},{"introduced":"0"},{"last_affected":"8.15.1"},{"introduced":"0"},{"last_affected":"8.15.2"},{"introduced":"0"},{"last_affected":"8.15.3"},{"introduced":"0"},{"last_affected":"8.15.4"},{"introduced":"0"},{"last_affected":"8.15.5"},{"introduced":"0"},{"last_affected":"8.16.0"},{"introduced":"0"},{"last_affected":"8.16.1"},{"introduced":"0"},{"last_affected":"8.16.2"},{"introduced":"0"},{"last_affected":"8.16.3"},{"introduced":"0"},{"last_affected":"8.16.4"}]}}],"versions":["v1.2.0","v1.2.0pre","v1.2.1","v1.2.2","v2.3.0","v2.3.0pre","v2.3.1","v2.4.0","v2.4.0pre","v2.4.1","v2.5.0","v2.6.0","v2.6.0pre","v2.6.1","v2.6.2","v2.6.3","v2.7.0","v2.7.0pre","v2.8.0","v2.8.0pre","v2.8.1","v2.8.2","v2.9.0","v2.9.1","v3.0.0","v3.0.1","v3.0.2","v3.0.3","v3.1.0","v4.0.0","v4.0.0rc1","v4.0.0rc2","v5.0.0","v5.1.0","v5.2.0","v5.3.0","v6.0.0","v6.0.0-ee","v6.0.0-ee.beta","v6.0.0-ee.rc1","v6.1.0-ee","v6.2.0","v6.3.0","v6.3.0-ee","v6.3.1-ee","v6.4.0","v6.4.0-ee","v6.4.0.pre1","v6.4.0.pre2","v6.4.0.pre3","v6.5.0","v6.5.0-ee","v6.5.0.rc1","v6.6.0","v6.6.0-ee","v6.6.0.pre1","v6.6.0.rc1","v6.7.0-ee","v6.7.0.rc1","v6.7.0.rc1-ee","v6.8.0-ee","v7.0.0","v7.0.0-ee","v7.0.0.rc1","v7.1.0","v7.1.0-ee","v7.1.0.rc1","v7.1.0.rc1-ee","v7.2.0.rc1","v7.2.0.rc1-ee","v7.2.0.rc2","v7.2.0.rc2-ee","v7.2.0.rc3","v7.2.0.rc3-ee","v7.2.0.rc4","v7.2.0.rc4-ee","v7.2.0.rc5","v7.2.0.rc5-ee","v7.3.0","v7.3.0-ee","v7.3.0.rc1","v7.3.0.rc1-ee","v8.11.0.pre","v8.13.0.pre","v8.14.0-ee","v8.14.0-rc1-ee","v8.14.0-rc2-ee","v8.14.0-rc4-ee","v8.14.0-rc5-ee","v8.14.0.pre","v8.14.1-ee","v8.14.2-ee","v8.14.3-ee","v8.14.4-ee","v8.14.5-ee","v8.14.7-ee","v8.14.8-ee","v8.14.9-ee","v8.15.0-ee","v8.15.0-rc1-ee","v8.15.0-rc2-ee","v8.15.0-rc3-ee","v8.15.0-rc4-ee","v8.15.0-rc6-ee","v8.15.0.pre","v8.15.1-ee","v8.15.2-ee","v8.15.3-ee","v8.15.4-ee","v8.15.5-ee","v8.16.0-ee","v8.16.0-rc1-ee","v8.16.0-rc2-ee","v8.16.0-rc3-ee","v8.16.0-rc4-ee","v8.16.0-rc5-ee","v8.16.0-rc6-ee","v8.16.0.pre","v8.16.1-ee","v8.16.2-ee","v8.16.3-ee","v8.16.4-ee"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-8778.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}