CVE-2021-39946 — Cross-site Scripting in Gitlab

CWE-79 — Cross-site Scripting6 documents5 sources

Severity

5.4MEDIUMNVD

OSV9.1

EPSS

0.2%

top 59.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab CE

Timeline

PublishedJan 18

Latest updateAug 24

Description

Improper neutralization of user input in GitLab CE/EE versions 14.3 to 14.3.6, 14.4 to 14.4.4, and 14.5 to 14.5.2 allowed an attacker to exploit XSS by abusing the generation of the HTML code related to emojis

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages5 packages

▶NVDgitlab/gitlab14.3 — 14.3.6+2

▶debiandebian/gitlab< gitlab 15.10.8+ds1-2 (sid)

▶CVEListV5gitlab/gitlab>=14.3, <14.3.6, >=14.4, <14.4.4, >=14.5, <14.5.2+2

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ce

🔴Vulnerability Details

OSV

fastdds vulnerabilities↗2023-08-24

▶

GHSA

GHSA-rvcw-fpwr-r263: Improper neutralization of user input in GitLab CE/EE versions 14↗2022-01-19

▶

OSV

CVE-2021-39946: Improper neutralization of user input in GitLab CE/EE versions 14↗2022-01-18

▶

📋Vendor Advisories

GitLab

CVE-2021-39946: Improper neutralization of user input in GitLab CE/EE versions 14.3 to 14.3.6, 14.4 to 14.4.4, and 14.5 to 14.5.2 allowed an attacker to exploit XSS b↗2022-01-18

▶

Debian

CVE-2021-39946: gitlab - Improper neutralization of user input in GitLab CE/EE versions 14.3 to 14.3.6, 1...↗2021

▶