cbcvebase.
CVE-2023-0050
published 2023-03-09

CVE-2023-0050: An issue has been discovered in GitLab affecting all versions starting from 13.7 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions…

PriorityP348medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
92.42%
99.8th percentile
An issue has been discovered in GitLab affecting all versions starting from 13.7 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. A specially crafted Kroki diagram could lead to a stored XSS on the client side which allows attackers to perform arbitrary actions on behalf of victims.

Affected

8 ranges
VendorProductVersion rangeFixed in
debiangitlab< gitlab 15.10.8+ds1-2 (sid)gitlab 15.10.8+ds1-2 (sid)
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab>= 13.7 < 15.7.815.7.8
gitlabgitlab>= 15.8 < 15.8.415.8.4
gitlabgitlab>= 15.9 < 15.9.215.9.2

Detection & IOCsextracted from sources · hover to see the quote

  • Stored XSS delivered via a specially crafted Kroki diagram in GitLab; monitor for unexpected or malformed Kroki diagram markup in GitLab issues, wikis, or merge requests that may contain embedded script payloads.
  • Audit GitLab instances running versions 13.7 through 15.7.7, 15.8.0–15.8.3, or 15.9.0–15.9.1 for stored Kroki diagram content that may contain injected JavaScript.
  • ·The vulnerability is scoped as 'local' impact per Debian's security tracker, suggesting exploitation requires an authenticated user or local access context within the GitLab instance.
  • ·Debian resolved this in package version 15.10.8+ds1-2; environments running older packaged versions remain exposed.

CVSS provenance

nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
osv5.4MEDIUM
vendor_debian8.7HIGH
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.