An issue has been discovered in GitLab CE/EE affecting all versions from 14.2 before 18.0.6, 18.1 before 18.1.4 and 18.2 before 18.2.2 that, under certain conditions, could have allowed a successful attacker to execute actions on behalf of users by injecting malicious content.
Fixes

Solution

Upgrade to versions 18.0.6, 18.1.4, 18.2.2 or above.


Workaround

No workaround given by the vendor.

History

Fri, 15 Aug 2025 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Thu, 14 Aug 2025 06:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 13 Aug 2025 17:45:00 +0000

Type Values Removed Values Added
Description An issue has been discovered in GitLab CE/EE affecting all versions from 14.2 before 18.0.6, 18.1 before 18.1.4 and 18.2 before 18.2.2 that, under certain conditions, could have allowed a successful attacker to execute actions on behalf of users by injecting malicious content.
Title Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-79
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2025-08-13T20:35:29.997Z

Reserved: 2025-07-17T01:32:22.499Z

Link: CVE-2025-7734

cve-icon Vulnrichment

Updated: 2025-08-13T20:35:23.870Z

cve-icon NVD

Status : Analyzed

Published: 2025-08-13T18:15:32.703

Modified: 2025-08-15T16:33:23.090

Link: CVE-2025-7734

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.