CVE-2022-1190 — Cross-site Scripting in Gitlab

CWE-79 — Cross-site Scripting CWE-326 — Inadequate Encryption Strength CWE-328 — Use of Weak Hash6 documents6 sources

Severity

5.4MEDIUMNVD

EPSS

1.0%

top 22.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab CE

Timeline

PublishedApr 4

Latest updateNov 16

Description

Improper handling of user input in GitLab CE/EE versions 8.3 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowed an attacker to exploit a stored XSS by abusing multi-word milestone references in issue descriptions, comments, etc.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages5 packages

▶NVDgitlab/gitlab8.3.0 — 14.7.7+2

▶debiandebian/gitlab< gitlab 15.10.8+ds1-2 (sid)

▶CVEListV5gitlab/gitlab>=14.8.0, <14.8.5, >=14.9.0, <14.9.2, >=8.3.0, <14.7.7+2

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ce

🔴Vulnerability Details

GHSA

Whole-script approval in Jenkins Script Security Plugin vulnerable to SHA-1 collisions↗2022-11-16

▶

GHSA

GHSA-6224-476v-jppq: Improper handling of user input in GitLab CE/EE versions 8↗2022-04-05

▶

OSV

CVE-2022-1190: Improper handling of user input in GitLab CE/EE versions 8↗2022-04-04

▶

📋Vendor Advisories

GitLab

CVE-2022-1190: Improper handling of user input in GitLab CE/EE versions 8.3 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowed an attacker to ex↗2022-04-04

▶

Debian

CVE-2022-1190: gitlab - Improper handling of user input in GitLab CE/EE versions 8.3 prior to 14.7.7, 14...↗2022

▶