CVE-2021-22242 — Cross-site Scripting in Gitlab

CWE-79 — Cross-site Scripting5 documents5 sources

Severity

5.4MEDIUMNVD

EPSS

2.3%

top 15.30%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab CE

Timeline

PublishedAug 25

Latest updateMay 24

Description

Insufficient input sanitization in Mermaid markdown in GitLab CE/EE version 11.4 and up allows an attacker to exploit a stored cross-site scripting vulnerability via a specially-crafted markdown

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages5 packages

▶NVDgitlab/gitlab11.4.0 — 13.12.9+2

▶debiandebian/gitlab< gitlab 15.10.8+ds1-2 (sid)

▶CVEListV5gitlab/gitlab>=11.4, <13.12.9, >=14.0, <14.0.7, >=14.1, <14.1.2+2

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ce

🔴Vulnerability Details

GHSA

GHSA-3r2f-rpgw-83gm: Insufficient input sanitization in Mermaid markdown in GitLab CE/EE version 11↗2022-05-24

▶

OSV

CVE-2021-22242: Insufficient input sanitization in Mermaid markdown in GitLab CE/EE version 11↗2021-08-25

▶

📋Vendor Advisories

GitLab

CVE-2021-22242: Insufficient input sanitization in Mermaid markdown in GitLab CE/EE version 11.4 and up allows an attacker to exploit a stored cross-site scripting vu↗2021-08-25

▶

Debian

CVE-2021-22242: gitlab - Insufficient input sanitization in Mermaid markdown in GitLab CE/EE version 11.4...↗2021

▶