PT-2022-21432 · Gitlab · Gitlab Ce/Ee+1

Yvvdwf

Published

2022-11-09

Updated

2024-03-06

CVE-2022-3265

CVSS v3.1

7.3

High

Vector

AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions prior to 15.3.5 GitLab CE/EE version 15.4 prior to 15.4.4 GitLab CE/EE version 15.5 prior to 15.5.2

Description A cross-site scripting issue has been discovered in GitLab CE/EE. It was possible to exploit a vulnerability in setting the labels colour feature, which could lead to a stored XSS that allowed attackers to perform arbitrary actions on behalf of victims at the client side.

Recommendations For GitLab CE/EE versions prior to 15.3.5, update to version 15.3.5 or later. For GitLab CE/EE version 15.4 prior to 15.4.4, update to version 15.4.4 or later. For GitLab CE/EE version 15.5 prior to 15.5.2, update to version 15.5.2 or later. As a temporary workaround, consider restricting access to the labels colour feature until a patch is available.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

BIT-GITLAB-2022-3265

CVE-2022-3265

Affected Products

Gitlab

Gitlab Ce/Ee

PT-2022-21432 · Gitlab · Gitlab Ce/Ee+1

CVE-2022-3265

Weakness Enumeration

Related Identifiers

Affected Products

References · 12