CVE-2021-22232
published 2021-07-06CVE-2021-22232: HTML injection was possible via the full name field before versions 13.11.6, 13.12.6, and 14.0.2 in GitLab CE
PriorityP426medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.75%
50.3th percentile
HTML injection was possible via the full name field before versions 13.11.6, 13.12.6, and 14.0.2 in GitLab CE
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | gitlab | < gitlab 15.10.8+ds1-2 (sid) | gitlab 15.10.8+ds1-2 (sid) |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | >= 13.12.0 < 13.12.6 | 13.12.6 |
| gitlab | gitlab | >= 14.0.0 < 14.0.2 | 14.0.2 |
| gitlab | gitlab | >= 9.5.0 < 13.11.6 | 13.11.6 |
| gitlab | gitlab_ce | — | — |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
osv5.4MEDIUM
vendor_debian3.5LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GitLab
CVE-2021-22232: HTML injection was possible via the full name field before versions 13.11.6, 13.12.6, and 14.0.2 in GitLab CE
vendor_gitlab·2021-07-06·CVSS 3.5
CVE-2021-22232 [LOW] CWE-74 CVE-2021-22232: HTML injection was possible via the full name field before versions 13.11.6, 13.12.6, and 14.0.2 in GitLab CE
CVE-2021-22232: HTML injection was possible via the full name field before versions 13.11.6, 13.12.6, and 14.0.2 in GitLab CE
Debian
CVE-2021-22232: gitlab - HTML injection was possible via the full name field before versions 13.11.6, 13....
vendor_debian·2021·CVSS 3.5
CVE-2021-22232 [LOW] CVE-2021-22232: gitlab - HTML injection was possible via the full name field before versions 13.11.6, 13....
HTML injection was possible via the full name field before versions 13.11.6, 13.12.6, and 14.0.2 in GitLab CE
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
GHSA
GHSA-q5w6-p37j-cwr4: HTML injection was possible via the full name field before versions 13
ghsa_unreviewed·2022-05-24
CVE-2021-22232 [MEDIUM] CWE-74 GHSA-q5w6-p37j-cwr4: HTML injection was possible via the full name field before versions 13
HTML injection was possible via the full name field before versions 13.11.6, 13.12.6, and 14.0.2 in GitLab CE
OSV
CVE-2021-22232: HTML injection was possible via the full name field before versions 13
osv·2021-07-06·CVSS 5.4
CVE-2021-22232 [MEDIUM] CVE-2021-22232: HTML injection was possible via the full name field before versions 13
HTML injection was possible via the full name field before versions 13.11.6, 13.12.6, and 14.0.2 in GitLab CE
No detection rules found.
Exploit-DB
Adobe Connect 11.4.5 - Local File Disclosure
exploitdb·2023-04-08·CVSS 5.3
CVE-2023-22232 [MEDIUM] Adobe Connect 11.4.5 - Local File Disclosure
Adobe Connect 11.4.5 - Local File Disclosure
---
# Title: Adobe Connect 11.4.5 - Local File Disclosure
# Author: h4shur
# date:2021.01.16-2023.02.17
# CVE: CVE-2023-22232
# Vendor Homepage: https://www.adobe.com
# Software Link: https://www.adobe.com/products/adobeconnect.html
# Version: 11.4.5 and earlier, 12.1.5 and earlier
# User interaction: None
# Tested on: Windows 10 & Google Chrome, kali linux & firefox
### Summary:
Adobe Connect versions 11.4.5 (and earlier), 12.1.5 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to impact the integrity of a minor feature.
Exploitation of this issue does not require user interaction.
### Description :
There are many web applica
Exploit-DB
Adobe Connect 10 - Username Disclosure
exploitdb·2021-02-09
CVE-2023-22232 Adobe Connect 10 - Username Disclosure
Adobe Connect 10 - Username Disclosure
---
# Title: Adobe Connect 10 - Username Disclosure
# Author: h4shur
# date:2021-02-07
# Vendor Homepage: https://www.adobe.com
# Software Link: https://www.adobe.com/products/adobeconnect.html
# Version: 10 and earlier
# Tested on: Windows 10 & Google Chrome
# Category : Web Application Bugs
### Description :
By adding this (/system/help/support) to the end of the desired website address, you can view the username without any filter or obstacle. Sometimes even without a username and password. And by adding (/system/login) to the end of the desired website address, you can access the admin panel without any filters.
### POC :
site.com/system/help/support
### Admin Panel :
site.com/system/login
No writeups or analysis indexed.
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22232.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/300713https://hackerone.com/reports/1090634https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22232.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/300713https://hackerone.com/reports/1090634
2021-07-06
Published