|
|
|||
| Rule General Information |
|---|
| Release Date: | 2022-06-21 | |
| Rule Name: | GitLab Community and Enterprise Edition Notes Stored Cross Site Scripting Vulnerability (CVE-2022-1175) | |
| Severity: | ||
| CVE ID: | ||
| Rule Protection Details |
|---|
| Description: | Improper neutralization of user input in GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 allowed an attacker to exploit XSS by injecting HTML in notes. | |
| Impact: | An attacker can conduct a cross-site scripting attack to inject malicious client-side scripts into web pages viewed by other users, or to bypass access controls such as the same-origin policy, if affected version is installed. | |
| Affected OS: | Windows, Others | |
| Reference: | http://packetstormsecurity.com/files/166829/Gitlab-14.9-Cross-Site-Scripting.html https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1175.json https://gitlab.com/gitlab-org/gitlab/-/issues/353370 https://hackerone.com/reports/1481207 |
|
| Solutions |
|---|
| The vendors have released upgrade patches to fix vulnerabilities, please visit: http://about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/ |