CVE-2023-3500
published 2023-08-02CVE-2023-3500: An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.0 before 16.0.8, all versions starting from 16.1 before 16.1.3, all…
PriorityP427medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.47%
37.5th percentile
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.0 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. A reflected XSS was possible when creating specific PlantUML diagrams that allowed the attacker to perform arbitrary actions on behalf of victims.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | gitlab | < gitlab 16.0.8+ds1-1 (sid) | gitlab 16.0.8+ds1-1 (sid) |
| gitlab | gitlab | — | — |
| gitlab | gitlab | >= 10.0 < 16.0.8 | 16.0.8 |
| gitlab | gitlab | >= 16.1 < 16.1.3 | 16.1.3 |
| gitlab | gitlab | >= 16.2 < 16.2.2 | 16.2.2 |
| gitlab | gitlab_ce | — | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
osv6.1MEDIUM
vendor_debian4.8MEDIUM
vendor_redhat4.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GitLab
CVE-2023-3500: An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.0 before 16.0.8, all versions starting from 16.1 before 16.1.3, a
vendor_gitlab·2023-08-02·CVSS 4.8
CVE-2023-3500 [MEDIUM] CWE-79 CVE-2023-3500: An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.0 before 16.0.8, all versions starting from 16.1 before 16.1.3, a
CVE-2023-3500: An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.0 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. A reflected XSS was possible when creating specific PlantUML diagrams that allowed the attacker to perform arbitrary actions on behalf of victims.
Red Hat
gitlab: XSS attack by creating specific PlantUML diagrams
vendor_redhat·2023-08-02·CVSS 4.8
CVE-2023-3500 [MEDIUM] gitlab: XSS attack by creating specific PlantUML diagrams
gitlab: XSS attack by creating specific PlantUML diagrams
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.0 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. A reflected XSS was possible when creating specific PlantUML diagrams that allowed the attacker to perform arbitrary actions on behalf of victims.
Statement: The GitLab package used in OpenShift is a GitLab API NodeJS library which is not affected by CVE-2023-3500.
Package: openshift4/ose-console (Red Hat OpenShift Container Platform 4) - Not affected
Debian
CVE-2023-3500: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro...
vendor_debian·2023·CVSS 4.8
CVE-2023-3500 [MEDIUM] CVE-2023-3500: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro...
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.0 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. A reflected XSS was possible when creating specific PlantUML diagrams that allowed the attacker to perform arbitrary actions on behalf of victims.
Scope: local
sid: resolved (fixed in 16.0.8+ds1-1)
GHSA
GHSA-xgmj-r659-f4c7: An issue has been discovered in GitLab CE/EE affecting all versions starting from 10
ghsa_unreviewed·2023-08-02
CVE-2023-3500 [MEDIUM] CWE-79 GHSA-xgmj-r659-f4c7: An issue has been discovered in GitLab CE/EE affecting all versions starting from 10
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.0 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. A reflected XSS was possible when creating specific PlantUML diagrams that allowed the attacker to perform arbitrary actions on behalf of victims.
OSV
CVE-2023-3500: An issue has been discovered in GitLab CE/EE affecting all versions starting from 10
osv·2023-08-02·CVSS 6.1
CVE-2023-3500 [MEDIUM] CVE-2023-3500: An issue has been discovered in GitLab CE/EE affecting all versions starting from 10
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.0 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. A reflected XSS was possible when creating specific PlantUML diagrams that allowed the attacker to perform arbitrary actions on behalf of victims.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-08-02
Published