ASA-201807-1 generated external raw

[ASA-201807-1] gitlab: multiple issues
Arch Linux Security Advisory ASA-201807-1 ========================================= Severity: Medium Date : 2018-07-04 CVE-ID : CVE-2018-3740 CVE-2018-12606 CVE-2018-12607 Package : gitlab Type : multiple issues Remote : Yes Link : Summary ======= The package gitlab before version 11.0.1-1 is vulnerable to multiple issues including cross-site scripting and insufficient validation. Resolution ========== Upgrade to 11.0.1-1. # pacman -Syu "gitlab>=11.0.1-1" The problems have been fixed upstream in version 11.0.1. Workaround ========== None. Description =========== - CVE-2018-3740 (insufficient validation) A specially crafted HTML fragment can cause Sanitize gem for Ruby to allow non-whitelisted attributes to be used on a whitelisted HTML element. - CVE-2018-12606 (cross-site scripting) The wiki contains a persistent XSS issue due to a lack of output encoding affecting a specific markdown feature. - CVE-2018-12607 (cross-site scripting) The charts feature contained a persistent XSS issue due to a lack of output encoding. Impact ====== An attacker is able to use a GitLab server to execute malicious Javascript code on its users via a crafted HTML chart or specific markdown features. References ==========