{"id":"UBUNTU-CVE-2018-9243","details":"GitLab Community and Enterprise Editions version 8.4 up to 10.4 are vulnerable to XSS because a lack of input validation in the merge request component leads to cross site scripting (specifically, filenames in changes tabs of merge requests). This is fixed in 10.6.3, 10.5.7, and 10.4.7.","modified":"2025-10-24T04:46:58Z","published":"2018-04-05T14:29:00Z","upstream":["CVE-2018-9243"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2018-9243"},{"type":"REPORT","url":"https://about.gitlab.com/2018/04/04/security-release-gitlab-10-dot-6-dot-3-released/"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2018-9243"}],"affected":[{"package":{"name":"gitlab","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/gitlab@8.5.8+dfsg-5?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["8.4.3+dfsg-9","8.4.3+dfsg-12","8.5.8+dfsg-5"],"ecosystem_specific":{"binaries":[{"binary_version":"8.5.8+dfsg-5","binary_name":"gitlab"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2018/UBUNTU-CVE-2018-9243.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"type":"Ubuntu","score":"medium"}]}