CVE-2022-2500
published 2022-08-05CVE-2022-2500: A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions before 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1. A stored…
PriorityP426medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.60%
44.1th percentile
A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions before 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1. A stored XSS flaw in job error messages allows attackers to perform arbitrary actions on behalf of victims at client side.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | gitlab | < gitlab 15.10.8+ds1-2 (sid) | gitlab 15.10.8+ds1-2 (sid) |
| gitlab | gitlab | < 15.0.5 | 15.0.5 |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | >= 15.1.0 < 15.1.4 | 15.1.4 |
| gitlab | gitlab_ce | — | — |
| chrome_chrome | — | — |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
osv5.4MEDIUM
vendor_debian4.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Chrome
Stable Channel Update for Desktop: CVE-2023-0134
vendor_chrome·2023-01-10·CVSS 8.8
CVE-2023-0134 [MEDIUM] Stable Channel Update for Desktop: CVE-2023-0134
Stable Channel Update for Desktop
CVE-2023-0134: Use after free in Cart. Reported by Chaoyuan Peng (@ret2happy) on 2022-11-17 [$2500][ 1385831 ] Medium CVE-2023-0135: Use after free in Cart
Reported by Chaoyuan Peng (@ret2happy) on 2022-11-18 [$2000][ 1356987 ] Medium CVE-2023-0136: Inappropriate implementation in Fullscreen API
Severity: medium
GitLab
CVE-2022-2500: A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions before 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1.
vendor_gitlab·2022-08-05·CVSS 4.4
CVE-2022-2500 [MEDIUM] CWE-79 CVE-2022-2500: A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions before 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1.
CVE-2022-2500: A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions before 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1. A stored XSS flaw in job error messages allows attackers to perform arbitrary actions on behalf of victims at client side.
Chrome
Stable Channel Update for Desktop: CVE-2022-0803
vendor_chrome·2022-03-01·CVSS 6.5
CVE-2022-0803 [MEDIUM] Stable Channel Update for Desktop: CVE-2022-0803
Stable Channel Update for Desktop
CVE-2022-0803: Inappropriate implementation in Permissions. Reported by Abdulla Aldoseri on 2021-12-15 [$2500][ 1264561 ] Medium CVE-2022-0804: Inappropriate implementation in Full screen mode
Reported by Irvan Kurniawan (sourc7) on 2021-10-29 [$2000][ 1290700 ] Medium CVE-2022-0805: Use after free in Browser Switcher
Severity: medium
Debian
CVE-2022-2500: gitlab - A cross-site scripting issue has been discovered in GitLab CE/EE affecting all v...
vendor_debian·2022·CVSS 4.4
CVE-2022-2500 [MEDIUM] CVE-2022-2500: gitlab - A cross-site scripting issue has been discovered in GitLab CE/EE affecting all v...
A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions before 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1. A stored XSS flaw in job error messages allows attackers to perform arbitrary actions on behalf of victims at client side.
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
GHSA
GHSA-4jhx-xj9w-gw72: A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions before 15
ghsa_unreviewed·2022-08-06
CVE-2022-2500 [MEDIUM] CWE-79 GHSA-4jhx-xj9w-gw72: A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions before 15
A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions before 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1. A stored XSS flaw in job error messages allows attackers to perform arbitrary actions on behalf of victims at client side.
OSV
CVE-2022-2500: A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions before 15
osv·2022-08-05·CVSS 5.4
CVE-2022-2500 [MEDIUM] CVE-2022-2500: A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions before 15
A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions before 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1. A stored XSS flaw in job error messages allows attackers to perform arbitrary actions on behalf of victims at client side.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2500.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/363725https://hackerone.com/reports/1579645https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2500.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/363725https://hackerone.com/reports/1579645
2022-08-05
Published