Lucene search

Veracode Vulnerability DatabaseVERACODE:42360

HistoryAug 06, 2023 - 7:01 p.m.

Cross-Site Scripting (XSS)

2023-08-0619:01:03

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

gitlab

xss

vulnerability

web page

generation

attacker

jupyter notebook

crafted tag

victim

browser

sensitive information

software

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

0.001 Low

EPSS

Percentile

44.2%

JSON

gitlab is vulnerable to a cross-site scripting (XSS) vulnerability. This vulnerability occurs due to improper neutralization of input during web page generation. An attacker can exploit this vulnerability by creating a malicious Jupyter notebook that contains a crafted tag. When a victim views the notebook, the malicious tag will be executed in the victim’s browser, allowing the attacker to steal cookies or other sensitive information.

CPENameOperatorVersion
gitlab:sideq13.4.7-2
gitlab:sideq13.3.9-1
gitlab:sideq13.4.7-2
gitlab:sideq13.3.9-1

Name	Operator	Version
gitlab:sid	eq	13.4.7-2
gitlab:sid	eq	13.3.9-1
gitlab:sid	eq	13.4.7-2
gitlab:sid	eq	13.3.9-1

References

gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2428.json

gitlab.com/gitlab-org/gitlab/-/issues/362272

hackerone.com/reports/1563379

security-tracker.debian.org/tracker/CVE-2022-2428

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

0.001 Low

EPSS

Percentile

44.2%

JSON

Related for VERACODE:42360