CVE-2021-22260
published 2021-11-05CVE-2021-22260: A stored Cross-Site Scripting vulnerability in the DataDog integration in all versions of GitLab CE/EE starting from 13.7 before 14.0.9, all versions starting…
PriorityP426medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.91%
55.6th percentile
A stored Cross-Site Scripting vulnerability in the DataDog integration in all versions of GitLab CE/EE starting from 13.7 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 allows an attacker to execute arbitrary JavaScript code on the victim's behalf
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | gitlab | < gitlab 15.10.8+ds1-2 (sid) | gitlab 15.10.8+ds1-2 (sid) |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | >= 13.7.0 < 14.0.9 | 14.0.9 |
| gitlab | gitlab | >= 14.1.0 < 14.1.4 | 14.1.4 |
| gitlab | gitlab | >= 14.2.0 < 14.2.2 | 14.2.2 |
| gitlab | gitlab_ce | — | — |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
osv5.4MEDIUM
vendor_debian7.7HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-87x4-89mh-jmjg: A stored Cross-Site Scripting vulnerability in the DataDog integration in GitLab CE/EE version 13
ghsa_unreviewed·2022-05-24
CVE-2021-22260 [MEDIUM] CWE-79 GHSA-87x4-89mh-jmjg: A stored Cross-Site Scripting vulnerability in the DataDog integration in GitLab CE/EE version 13
A stored Cross-Site Scripting vulnerability in the DataDog integration in GitLab CE/EE version 13.7 and above allows an attacker to execute arbitrary JavaScript code on the victim's behalf
OSV
CVE-2021-22260: A stored Cross-Site Scripting vulnerability in the DataDog integration in all versions of GitLab CE/EE starting from 13
osv·2021-11-05·CVSS 5.4
CVE-2021-22260 [MEDIUM] CVE-2021-22260: A stored Cross-Site Scripting vulnerability in the DataDog integration in all versions of GitLab CE/EE starting from 13
A stored Cross-Site Scripting vulnerability in the DataDog integration in all versions of GitLab CE/EE starting from 13.7 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 allows an attacker to execute arbitrary JavaScript code on the victim's behalf
GitLab
CVE-2021-22260: A stored Cross-Site Scripting vulnerability in the DataDog integration in all versions of GitLab CE/EE starting from 13.7 before 14.0.9, all versions
vendor_gitlab·2021-11-05·CVSS 7.7
CVE-2021-22260 [HIGH] CWE-79 CVE-2021-22260: A stored Cross-Site Scripting vulnerability in the DataDog integration in all versions of GitLab CE/EE starting from 13.7 before 14.0.9, all versions
CVE-2021-22260: A stored Cross-Site Scripting vulnerability in the DataDog integration in all versions of GitLab CE/EE starting from 13.7 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 allows an attacker to execute arbitrary JavaScript code on the victim's behalf
Debian
CVE-2021-22260: gitlab - A stored Cross-Site Scripting vulnerability in the DataDog integration in all ve...
vendor_debian·2021·CVSS 7.7
CVE-2021-22260 [HIGH] CVE-2021-22260: gitlab - A stored Cross-Site Scripting vulnerability in the DataDog integration in all ve...
A stored Cross-Site Scripting vulnerability in the DataDog integration in all versions of GitLab CE/EE starting from 13.7 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 allows an attacker to execute arbitrary JavaScript code on the victim's behalf
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22260.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/336614https://hackerone.com/reports/1257383https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22260.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/336614https://hackerone.com/reports/1257383
2021-11-05
Published