CVE-2020-13262 — Injection in Gitlab

CWE-74 — Injection CWE-79 — Cross-site Scripting5 documents5 sources

Severity

6.1MEDIUMNVD

EPSS

0.2%

top 56.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab CE

Timeline

PublishedJun 19

Latest updateMay 24

Description

Client-Side code injection through Mermaid markup in GitLab CE/EE 12.9 and later through 13.0.1 allows a specially crafted Mermaid payload to PUT requests on behalf of other users via clicking on a link

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages5 packages

▶NVDgitlab/gitlab12.9.0 — 12.9.8+2

▶CVEListV5gitlab/gitlab>=12.10, <12.10.7, >=12.9, <12.9.8, >=13.0, <13.0.1+2

▶debiandebian/gitlab

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ce

🔴Vulnerability Details

GHSA

GHSA-pw3w-gf65-52v7: Client-Side code injection through Mermaid markup in GitLab CE/EE 12↗2022-05-24

▶

OSV

CVE-2020-13262: Client-Side code injection through Mermaid markup in GitLab CE/EE 12↗2020-06-19

▶

📋Vendor Advisories

GitLab

CVE-2020-13262: Client-Side code injection through Mermaid markup in GitLab CE/EE 12.9 and later through 13.0.1 allows a specially crafted Mermaid payload to PUT requ↗2020-06-19

▶

Debian

CVE-2020-13262: gitlab - Client-Side code injection through Mermaid markup in GitLab CE/EE 12.9 and later...↗2020

▶