CVE-2023-2164Cross-site Scripting in Gitlab

CWE-79Cross-site Scripting6 documents6 sources
Severity
5.4MEDIUMNVD
EPSS
52.2%
top 2.07%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
GitlabDebian Gitlab
Timeline
PublishedAug 2

Description

An issue has been discovered in GitLab affecting all versions starting from 15.9 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. It was possible for an attacker to trigger a stored XSS vulnerability via user interaction with a crafted URL in the WebIDE beta.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages4 packages

CVEListV5gitlab/gitlab16.1.016.1.3+1
NVDgitlab/gitlab15.916.0.8+2
debiandebian/gitlab< gitlab 16.0.8+ds1-1 (sid)
gitlabgitlab/gitlab

🔴Vulnerability Details

2
OSV
CVE-2023-2164: An issue has been discovered in GitLab affecting all versions starting from 152023-08-02
GHSA
GHSA-4vc2-wm37-4628: An issue has been discovered in GitLab affecting all versions starting from 152023-08-02

📋Vendor Advisories

3
Red Hat
gitlab: XSS vulnerability on user interaction with a crafted URL2023-08-02
GitLab
CVE-2023-2164: An issue has been discovered in GitLab affecting all versions starting from 15.9 before 16.0.8, all versions starting from 16.1 before 16.1.3, all ver2023-08-02
Debian
CVE-2023-2164: gitlab - An issue has been discovered in GitLab affecting all versions starting from 15.9...2023