Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2022-1175Cross-site Scripting in Gitlab

CWE-79Cross-site Scripting10 documents6 sources
Severity
6.1MEDIUMNVD
EPSS
10.3%
top 6.79%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
3
GitlabDebian GitlabGitlab CE
Timeline
PublishedApr 4
Latest updateMay 12

Description

Improper neutralization of user input in GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 allowed an attacker to exploit XSS by injecting HTML in notes.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages5 packages

NVDgitlab/gitlab14.4.014.8.6+5
debiandebian/gitlab< gitlab 15.10.8+ds1-2 (sid)
CVEListV5gitlab/gitlab>=14.10, <14.10.1, >=14.4, <14.8.6, >=14.9, <14.9.4+2
gitlabgitlab/gitlab

🔴Vulnerability Details

3
GHSA
GHSA-jh26-hqr4-2cjg: An issue has been discovered in GitLab affecting all versions starting from 142022-05-12
GHSA
GHSA-9fwv-mvpv-qrh4: Improper neutralization of user input in GitLab CE/EE versions 142022-04-05
OSV
CVE-2022-1175: Improper neutralization of user input in GitLab CE/EE versions 142022-04-04

💥Exploits & PoCs

1
Exploit-DB
GitLab 14.9 - Stored Cross-Site Scripting (XSS)2022-04-26

📋Vendor Advisories

4
GitLab
CVE-2022-1433: An issue has been discovered in GitLab affecting all versions starting from 14.4 before 14.8.6, all versions starting from 14.9 before 14.9.4, all ver2022-05-11
GitLab
CVE-2022-1175: Improper neutralization of user input in GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions startin2022-04-04
Debian
CVE-2022-1175: gitlab - Improper neutralization of user input in GitLab CE/EE versions 14.4 before 14.7....2022
Debian
CVE-2022-1433: gitlab - An issue has been discovered in GitLab affecting all versions starting from 14.4...2022