Impact
GitLab Community and Enterprise Editions were affected by an improper input sanitization flaw that allows an authenticated user to inject arbitrary JavaScript into a web page rendered by other users, enabling cross‑site scripting. The flaw is defined as CWE‑79 and can result in data theft, credential compromise, or session hijacking in the victim’s browser.
Affected Systems
The vulnerability applies to all GitLab CE/EE releases from 15.7 up to, but not including, 18.11.7; from 19.0 up to, but not including, 19.0.4; and from 19.1 up to, but not including, 19.1.2. Users running any of those unpatched versions are therefore at risk.
Risk and Exploitability
The CVSS score of 7.3 indicates a moderate to high severity, but no EPSS score is available, and the issue is not listed in the CISA KEV catalog. Because the flaw requires an authenticated user, the attack vector is limited to privileged accounts in the GitLab instance, although successful exploitation can affect other users who view the compromised content. Official remediation is to upgrade to at least version 18.11.7, 19.0.4, or 19.1.2.
OpenCVE Enrichment