CVE-2022-3513Cross-site Scripting in Gitlab

CWE-79Cross-site Scripting5 documents5 sources
Severity
6.1MEDIUMNVD
EPSS
23.6%
top 3.99%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
GitlabDebian Gitlab
Timeline
PublishedApr 5

Description

An issue has been discovered in GitLab affecting all versions starting from 12.8 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. A specially crafted payload could lead to a reflected XSS on the client side which allows attackers to perform arbitrary actions on behalf of victims on self-hosted instances running without strict CSP.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

NVDgitlab/gitlab12.8.015.8.5+2
debiandebian/gitlab< gitlab 15.10.8+ds1-2 (sid)
CVEListV5gitlab/gitlab>=12.8, <15.8.5, >=15.10, <15.10.1, >=15.9, <15.9.4+2
gitlabgitlab/gitlab

🔴Vulnerability Details

2
OSV
CVE-2022-3513: An issue has been discovered in GitLab affecting all versions starting from 122023-04-05
GHSA
GHSA-8w2x-795m-pv4v: An issue has been discovered in GitLab affecting all versions starting from 122023-04-05

📋Vendor Advisories

2
GitLab
CVE-2022-3513: An issue has been discovered in GitLab affecting all versions starting from 12.8 before 15.8.5, all versions starting from 15.9 before 15.9.4, all ver2023-04-05
Debian
CVE-2022-3513: gitlab - An issue has been discovered in GitLab affecting all versions starting from 12.8...2022