CVE-2019-5471 — Cross-site Scripting in Gitlab

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

5.4MEDIUMNVD

EPSS

0.1%

top 78.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab

Timeline

PublishedSep 9

Latest updateMay 24

Description

An input validation and output encoding issue was discovered in the GitLab email notification feature which could result in a persistent XSS. This was addressed in GitLab 12.1.2, 12.0.4, and 11.11.6.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages4 packages

▶NVDgitlab/gitlab11.11.0 — 11.11.7+2

▶CVEListV5gitlab/gitlabFixed versions 12.1.2, 12.0.4, and 11.11.6

▶debiandebian/gitlab

▶gitlabgitlab/gitlab

🔴Vulnerability Details

GHSA

GHSA-9vpf-9m6p-h2rr: An input validation and output encoding issue was discovered in the GitLab email notification feature which could result in a persistent XSS↗2022-05-24

▶

📋Vendor Advisories

GitLab

CVE-2019-5471: An input validation and output encoding issue was discovered in the GitLab email notification feature which could result in a persistent XSS. This was↗2019-09-09

▶

Debian

CVE-2019-5471: gitlab - An input validation and output encoding issue was discovered in the GitLab email...↗2019

▶