Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. Due to the improper filtering of query parameters in the wiki changes page, an attacker can execute arbitrary JavaScript on the self-hosted instances running without strict CSP.

Related CPE's

a

gitlab

gitlab

6

a

abb

drive_composer

2

References

https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3573.json

Vendor Advisory

https://gitlab.com/gitlab-org/gitlab/-/issues/378216

Broken Link

https://hackerone.com/reports/1730461

Permissions RequiredThird Party Advisory

https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3573.json

Vendor Advisory

https://gitlab.com/gitlab-org/gitlab/-/issues/378216

Broken Link

https://hackerone.com/reports/1730461

Permissions RequiredThird Party Advisory

https://gitlab.com/gitlab-org/gitlab/-/issues/378216

Broken Link

Weaknesses

[email protected]

Primary
CWE-79

134c704f-9b21-4f2e-91b3-4a467353bcc0

Secondary
CWE-79

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

5.4 · Medium

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Modified

Published

2023-01-12T04:15:08.803

2 years ago

Last modified

2025-04-08T16:15:22.300

3 months ago