CVE-2023-0050 — Cross-site Scripting in Gitlab

CWE-79 — Cross-site Scripting6 documents6 sources

Severity

5.4MEDIUMNVD

EPSS

59.6%

top 1.74%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab

Timeline

PublishedMar 9

Latest updateMay 2

Description

An issue has been discovered in GitLab affecting all versions starting from 13.7 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. A specially crafted Kroki diagram could lead to a stored XSS on the client side which allows attackers to perform arbitrary actions on behalf of victims.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages4 packages

▶NVDgitlab/gitlab13.7 — 15.7.8+2

▶debiandebian/gitlab< gitlab 15.10.8+ds1-2 (sid)

▶CVEListV5gitlab/gitlab>=13.7, <15.7.8, >=15.8, <15.8.4, >=15.9, <15.9.2+2

▶gitlabgitlab/gitlab

🔴Vulnerability Details

GHSA

GHSA-58vv-56m5-q92p: An issue has been discovered in GitLab affecting all versions starting from 13↗2023-03-10

▶

OSV

CVE-2023-0050: An issue has been discovered in GitLab affecting all versions starting from 13↗2023-03-09

▶

📋Vendor Advisories

Red Hat

kernel: usb: typec: tcpm: fix warning when handle discover_identity message↗2025-05-02

▶

GitLab

CVE-2023-0050: An issue has been discovered in GitLab affecting all versions starting from 13.7 before 15.7.8, all versions starting from 15.8 before 15.8.4, all ver↗2023-03-09

▶

Debian

CVE-2023-0050: gitlab - An issue has been discovered in GitLab affecting all versions starting from 13.7...↗2023

▶