CVE-2023-3500 — Cross-site Scripting in Gitlab

CWE-79 — Cross-site Scripting6 documents6 sources

Severity

6.1MEDIUMNVD

EPSS

0.4%

top 36.96%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab CE

Timeline

PublishedAug 2

Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.0 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. A reflected XSS was possible when creating specific PlantUML diagrams that allowed the attacker to perform arbitrary actions on behalf of victims.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

▶NVDgitlab/gitlab10.0 — 16.0.8+2

▶debiandebian/gitlab< gitlab 16.0.8+ds1-1 (sid)

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ce

🔴Vulnerability Details

GHSA

GHSA-xgmj-r659-f4c7: An issue has been discovered in GitLab CE/EE affecting all versions starting from 10↗2023-08-02

▶

OSV

CVE-2023-3500: An issue has been discovered in GitLab CE/EE affecting all versions starting from 10↗2023-08-02

▶

📋Vendor Advisories

GitLab

CVE-2023-3500: An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.0 before 16.0.8, all versions starting from 16.1 before 16.1.3, a↗2023-08-02

▶

Red Hat

gitlab: XSS attack by creating specific PlantUML diagrams↗2023-08-02

▶

Debian

CVE-2023-3500: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro...↗2023

▶