CVE-2022-2500 — Cross-site Scripting in Gitlab

CWE-79 — Cross-site Scripting7 documents6 sources

Severity

5.4MEDIUMNVD

EPSS

0.3%

top 51.18%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab CE +1 more

Timeline

PublishedAug 5

Latest updateJan 10

Description

A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions before 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1. A stored XSS flaw in job error messages allows attackers to perform arbitrary actions on behalf of victims at client side.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages6 packages

▶NVDgitlab/gitlab15.1.0 — 15.1.4+2

▶debiandebian/gitlab< gitlab 15.10.8+ds1-2 (sid)

▶CVEListV5gitlab/gitlab>=0.0, <15.0.5, >=15.1, <15.1.4, >=15.2, <15.2.1+2

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ce

🔴Vulnerability Details

GHSA

GHSA-4jhx-xj9w-gw72: A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions before 15↗2022-08-06

▶

OSV

CVE-2022-2500: A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions before 15↗2022-08-05

▶

📋Vendor Advisories

Chrome

Stable Channel Update for Desktop: CVE-2023-0134↗2023-01-10

▶

GitLab

CVE-2022-2500: A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions before 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1.↗2022-08-05

▶

Chrome

Stable Channel Update for Desktop: CVE-2022-0803↗2022-03-01

▶

Debian

CVE-2022-2500: gitlab - A cross-site scripting issue has been discovered in GitLab CE/EE affecting all v...↗2022

▶