CVE-2024-28128: FitNesse Cross-site Scripting vulnerability

March 18, 2024 (updated March 21, 2025)

Cross-site scripting vulnerability exists in FitNesse releases prior to 20220319, which may allow a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is using the product and accessing a link with a specially crafted certain parameter.

References

github.com/advisories/GHSA-mjq8-gg9x-87gr
github.com/unclebob/fitnesse
github.com/unclebob/fitnesse/blob/master/SECURITY.md
jvn.jp/en/jp/JVN94521208
nvd.nist.gov/vuln/detail/CVE-2024-28128

Code Behaviors & Features

Detect and mitigate CVE-2024-28128 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →