### [CVE-2018-9243](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9243)
![](https://img.shields.io/static/v1?label=Product&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brighgreen)

### Description

GitLab Community and Enterprise Editions version 8.4 up to 10.4 are vulnerable to XSS because a lack of input validation in the merge request component leads to cross site scripting (specifically, filenames in changes tabs of merge requests). This is fixed in 10.6.3, 10.5.7, and 10.4.7.

### POC

#### Reference
- https://gitlab.com/gitlab-org/gitlab-ce/issues/42028
- https://gitlab.com/gitlab-org/gitlab-ce/issues/42028

#### Github
No PoCs found on GitHub currently.