CVE-2022-3573

CWE-79 — Cross-site Scripting (XSS)7 documents7 sources

Severity

5.4MEDIUM

EPSS

0.8%

top 26.40%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Gitlab ABB Drive Composer

Timeline

PublishedJan 12

Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. Due to the improper filtering of query parameters in the wiki changes page, an attacker can execute arbitrary JavaScript on the self-hosted instances running without strict CSP.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

▶NVDgitlab/gitlab15.4.0 — 15.5.7+2

▶CVEListV5gitlab/gitlab>=15.4, <15.5.7, >=15.6, <15.6.4, >=15.7, <15.7.2+2

▶NVDabb/drive_composer2.8

🔴Vulnerability Details

GHSA

GHSA-jwcg-x754-2vpg: An issue has been discovered in GitLab CE/EE affecting all versions starting from 15↗2023-01-12

▶

OSV

CVE-2022-3573: An issue has been discovered in GitLab CE/EE affecting all versions starting from 15↗2023-01-12

▶

CVEList

CVE-2022-3573: An issue has been discovered in GitLab CE/EE affecting all versions starting from 15↗2023-01-12

▶

VulnCheck

GitLab gitlab Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')↗2022

▶

📋Vendor Advisories

GitLab

CVE-2022-3573: An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.5.7, all versions starting from 15.6 before 15.6.4, a↗2023-01-12

▶

Debian

CVE-2022-3573: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro...↗2022

▶