{"id":"CVE-2018-9243","details":"GitLab Community and Enterprise Editions version 8.4 up to 10.4 are vulnerable to XSS because a lack of input validation in the merge request component leads to cross site scripting (specifically, filenames in changes tabs of merge requests). This is fixed in 10.6.3, 10.5.7, and 10.4.7.","modified":"2026-04-10T04:13:24.870087Z","published":"2018-04-05T14:29:00.327Z","references":[{"type":"ADVISORY","url":"https://about.gitlab.com/2018/04/04/security-release-gitlab-10-dot-6-dot-3-released/"},{"type":"EVIDENCE","url":"https://gitlab.com/gitlab-org/gitlab-ce/issues/42028"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://gitlab.com/gitlab-org/gitlab","events":[{"introduced":"5b5777b8cf3328d27ef549c31f70993da1d1b267"},{"fixed":"023315ab201e488d9a4bb3011743923e6998fc86"},{"introduced":"5b5777b8cf3328d27ef549c31f70993da1d1b267"},{"fixed":"023315ab201e488d9a4bb3011743923e6998fc86"},{"introduced":"fa49afab45259cd56ea7d1505d3ec7757770cfa9"},{"fixed":"e6f48f08f76cbdc973d08669a9ec6ac40e863b62"},{"introduced":"fa49afab45259cd56ea7d1505d3ec7757770cfa9"},{"fixed":"e6f48f08f76cbdc973d08669a9ec6ac40e863b62"},{"introduced":"3d59f5643aa87ca1fc506bf1ad37262d8ca6b4d6"},{"fixed":"8b1a92ef5835cae2d3e020e37091cd9a3868cbba"},{"introduced":"3d59f5643aa87ca1fc506bf1ad37262d8ca6b4d6"},{"fixed":"8b1a92ef5835cae2d3e020e37091cd9a3868cbba"}],"database_specific":{"versions":[{"introduced":"8.4"},{"fixed":"10.4.7"},{"introduced":"8.4"},{"fixed":"10.4.7"},{"introduced":"10.5.0"},{"fixed":"10.5.7"},{"introduced":"10.5.0"},{"fixed":"10.5.7"},{"introduced":"10.6.0"},{"fixed":"10.6.3"},{"introduced":"10.6.0"},{"fixed":"10.6.3"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-9243.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}