Jan 30, 2014 - Marin Jankovski

Security vulnerability in gitlab (CVE-2013-7316)

We have learned about a XSS vulnerability in GitLab. This issue was fixed in GitLab 6.5.

Security vulnerability in GitLab (CVE-2013-7316)

We have learned about a XSS vulnerability in GitLab. This issue was fixed in GitLab 6.5.

Cross-site scripting (XSS) vulnerability in GitLab

A cross-site scripting (XSS) vulnerability in GitLab allows remote attackers to inject arbitrary web script or HTML via a crafted HTML file. This vulnerability has been assigned the CVE identifier CVE-2013-7316.

Versions affected: 6.4 and earlier

Fixed versions: Community Edition 6.5.0, Enterprise Edition 6.5.0


In affected versions, when adding a README with voluntary extension the file would be rendered with markup. This would allow an attacker to add a script that would be executed on the client side.

This vulnerability was fixed in GitLab 6.5. All users running GitLab 6.4 and earlier versions should upgrade immediately.


Gitlab 6.5 Community Edition is available from https://gitlab.com/gitlab-org/gitlab-ce and https://github.com/gitlabhq/gitlabhq . GitLab 6.5 Enterprise Edition is available for subscribers from GitLab Cloud. Please follow the upgrade guides from your current version to version 6.5.


Thanks to ChenQin, Network and Information Security Lab @ Tsinghua University for reporting the vulnerability.

Try all GitLab features - free for 30 days

GitLab is more than just source code management or CI/CD. It is a full software development lifecycle & DevOps tool in a single application.

Try GitLab Free
Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license

Try GitLab risk-free for 30 days.

No credit card required. Have questions? Contact us.

Gitlab x icon svg