An issue has been discovered in GitLab CE/EE affecting all versions from 18.2 before 18.2.2 that, under certain conditions, could have allowed authenticated users to achieve stored cross-site scripting by injecting malicious HTML content in scoped label descriptions.
Fixes

Solution

Upgrade to version 18.2.2 or above.


Workaround

No workaround given by the vendor.

History

Fri, 15 Aug 2025 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Thu, 14 Aug 2025 06:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 13 Aug 2025 17:45:00 +0000

Type Values Removed Values Added
Description An issue has been discovered in GitLab CE/EE affecting all versions from 18.2 before 18.2.2 that, under certain conditions, could have allowed authenticated users to achieve stored cross-site scripting by injecting malicious HTML content in scoped label descriptions.
Title Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-79
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2025-08-13T20:36:20.769Z

Reserved: 2025-07-17T06:04:25.028Z

Link: CVE-2025-7739

cve-icon Vulnrichment

Updated: 2025-08-13T20:36:15.547Z

cve-icon NVD

Status : Analyzed

Published: 2025-08-13T18:15:32.883

Modified: 2025-08-15T16:33:31.673

Link: CVE-2025-7739

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.