CVE-2022-2904 — Cross-site Scripting in Gitlab

CWE-79 — Cross-site Scripting5 documents5 sources

Severity

5.4MEDIUMNVD

EPSS

4.9%

top 10.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab CE

Timeline

PublishedNov 2

Latest updateNov 3

Description

A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions starting from 15.2 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1 It was possible to exploit a vulnerability in the external status checks feature which could lead to a stored XSS that allowed attackers to perform arbitrary actions on behalf of victims at client side.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages5 packages

▶NVDgitlab/gitlab15.2 — 15.2.5+4

▶debiandebian/gitlab< gitlab 15.10.8+ds1-2 (sid)

▶CVEListV5gitlab/gitlab>=15.2, <15.2.5, >=15.3, <15.3.4, >=15.4, <15.4.1+2

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ce

🔴Vulnerability Details

GHSA

GHSA-pfg9-h349-wqvq: A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions starting from 15↗2022-11-03

▶

OSV

CVE-2022-2904: A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions starting from 15↗2022-11-02

▶

📋Vendor Advisories

GitLab

CVE-2022-2904: A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions starting from 15.2 before 15.2.5, all versions starting from 1↗2022-11-02

▶

Debian

CVE-2022-2904: gitlab - A cross-site scripting issue has been discovered in GitLab CE/EE affecting all v...↗2022

▶