cbcvebase.
CVE-2022-1175
published 2022-04-04

CVE-2022-1175: Improper neutralization of user input in GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from…

PriorityP358medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
82.00%
99.6th percentile
Improper neutralization of user input in GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 allowed an attacker to exploit XSS by injecting HTML in notes.

Affected

12 ranges
VendorProductVersion rangeFixed in
debiangitlab< gitlab 15.10.8+ds1-2 (sid)gitlab 15.10.8+ds1-2 (sid)
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab>= 14.4.0 < 14.8.614.8.6
gitlabgitlab>= 14.4.0 < 14.7.714.7.7
gitlabgitlab>= 14.8.0 < 14.8.514.8.5
gitlabgitlab>= 14.9.0 < 14.9.414.9.4
gitlabgitlab>= 14.9.0 < 14.9.214.9.2
gitlabgitlab_ce

Detection & IOCsextracted from sources · hover to see the quote

  • XSS payload injected via HTML in GitLab notes/issues — monitor for script injection patterns in note/issue creation requests targeting GitLab CE/EE
  • Stored XSS payload persists due to missing Markdown cache invalidation — even after patching CVE-2022-1175, cached payloads may still execute on unpatched CVE-2022-1433 instances
  • Attacker technique: abuse stored XSS in GitLab issues to silently create personal access tokens for backdooring accounts of users who visit the XSS page
  • Attacker technique: change project base URL to attacker-controlled site so that scripts are sourced from the attacker's server — monitor for unusual external script src domains in GitLab-rendered pages
  • Standard external script include also used as a stealthier delivery method depending on CSP policy — monitor for <script src=> tags pointing to external domains in GitLab note/issue content
  • ·Affected versions are GitLab CE/EE 14.4 before 14.7.7, 14.8 before 14.8.5, and 14.9 before 14.9.2; cached payloads from CVE-2022-1175 may persist and execute on instances affected by CVE-2022-1433 (14.4–14.8.5, 14.9–14.9.3, 14.10 before 14.10.1) even after the XSS fix is applied

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.1MEDIUM
vendor_debian8.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.