Lucene search

Veracode Vulnerability DatabaseVERACODE:42157

HistoryAug 06, 2023 - 5:30 a.m.

Cross-Site Scripting (XSS)

2023-08-0605:30:42

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

cross-site scripting

xss

gitlab

vulnerability

stored

authenticated attacker

arbitrary actions

client side

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N

0.001 Low

EPSS

Percentile

45.6%

JSON

gitlab is vulnerable to Cross-Site Scripting (XSS) attacks. It is possible to exploit the vulnerability via setting the labels colour feature which leads to a stored XSS that allows an authenticated attacker to perform arbitrary actions on behalf of victims at client side.

CPENameOperatorVersion
gitlab:sideq13.4.7-2
gitlab:sideq13.3.9-1
gitlab:sideq13.4.7-2
gitlab:sideq13.3.9-1

Name	Operator	Version
gitlab:sid	eq	13.4.7-2
gitlab:sid	eq	13.3.9-1
gitlab:sid	eq	13.4.7-2
gitlab:sid	eq	13.3.9-1

References

gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3265.json

gitlab.com/gitlab-org/gitlab/-/issues/374976

hackerone.com/reports/1693150

security-tracker.debian.org/tracker/CVE-2022-3265

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N

0.001 Low

EPSS

Percentile

45.6%

JSON

Related for VERACODE:42157