Ryotakon

**Name of the Vulnerable Software and Affected Versions** GitLab versions 12.8 through 15.8.5 GitLab versions 15.9 through 15.9.4 GitLab versions 15.10 through 15.10.1 **Description** An issue has been discovered in GitLab where a specially crafted payload could lead to a reflected XSS on the client side. This allows attackers to perform arbitrary actions on behalf of victims on self-hosted instances running without strict Content Security Policy (CSP). **Recommendations** For versions 12.8 through 15.8.5, update to version 15.8.5 or later. For versions 15.9 through 15.9.4, update to version 15.9.4 or later. For versions 15.10 through 15.10.1, update to version 15.10.1 or later. As a temporary workaround, consider implementing strict CSP on self-hosted instances to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GitLab CE/EE versions 15.3 through 15.7.8 GitLab CE/EE version 15.8 through 15.8.4 GitLab CE/EE version 15.9 through 15.9.2 **Description** A cross-site scripting issue was found in the title field of work items, allowing attackers to perform arbitrary actions on behalf of victims at the client side. **Recommendations** For versions 15.3 through 15.7.8, update to version 15.7.8 or later. For version 15.8 through 15.8.4, update to version 15.8.4 or later. For version 15.9 through 15.9.2, update to version 15.9.2 or later. As a temporary workaround, consider restricting access to the title field of work items until a patch is available.

**Name of the Vulnerable Software and Affected Versions** GitLab CE/EE versions 13.5 through 15.3.5 GitLab CE/EE versions 15.4 through 15.4.4 GitLab CE/EE versions 15.5 through 15.5.2 **Description** A cross-site scripting issue has been discovered in GitLab CE/EE. It was possible to exploit a vulnerability in setting the Jira Connect integration, which could lead to a reflected XSS that allowed attackers to perform arbitrary actions on behalf of victims. **Recommendations** For versions 13.5 through 15.3.5, update to version 15.3.5 or later. For versions 15.4 through 15.4.4, update to version 15.4.4 or later. For versions 15.5 through 15.5.2, update to version 15.5.2 or later. As a temporary workaround, consider disabling the Jira Connect integration until a patch is available.

**Name of the Vulnerable Software and Affected Versions** GitLab CE/EE versions 15.4 through 15.5.7 GitLab CE/EE versions 15.6 through 15.6.4 GitLab CE/EE versions 15.7 through 15.7.2 **Description** The issue arises from inadequate filtering of query parameters on the wiki changes page, allowing an attacker to execute arbitrary JavaScript on self-hosted instances without strict Content Security Policy (CSP). This can lead to the execution of arbitrary JavaScript code. **Recommendations** For versions 15.4 through 15.5.7, update to version 15.5.7 or later. For versions 15.6 through 15.6.4, update to version 15.6.4 or later. For versions 15.7 through 15.7.2, update to version 15.7.2 or later. As a temporary workaround, consider implementing strict Content Security Policy (CSP) on self-hosted instances to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GitLab CE/EE versions 12.1 through 15.3.5 GitLab CE/EE versions 15.4 through 15.4.4 GitLab CE/EE versions 15.5 through 15.5.2 **Description** An issue has been discovered in GitLab CE/EE. A malicious maintainer could exfiltrate a Datadog integration's access token by modifying the integration URL such that authenticated requests are sent to an attacker-controlled server. **Recommendations** For versions 12.1 through 15.3.5, update to version 15.3.5 or later. For versions 15.4 through 15.4.4, update to version 15.4.4 or later. For versions 15.5 through 15.5.2, update to version 15.5.2 or later. As a temporary workaround, consider restricting access to the Datadog integration until a patch is available.