An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. Due to the improper filtering of query parameters in the wiki changes page, an attacker can execute arbitrary JavaScript on the self-hosted instances running without strict CSP.
References
| Link | Resource |
|---|---|
| https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3573.json | Vendor Advisory |
| https://gitlab.com/gitlab-org/gitlab/-/issues/378216 | Broken Link |
| https://hackerone.com/reports/1730461 | Permissions Required Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
History
22 Mar 2023, 16:19
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:abb:drive_composer:*:*:*:*:pro:*:*:* cpe:2.3:a:abb:drive_composer:*:*:*:*:entry:*:*:* |
|
| First Time |
Abb
Abb drive Composer |
20 Jan 2023, 15:44
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.4 |
| CWE | CWE-79 | |
| CPE | cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:* cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* |
|
| First Time |
Gitlab gitlab
Gitlab |
|
| References | (CONFIRM) https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3573.json - Vendor Advisory | |
| References | (MISC) https://gitlab.com/gitlab-org/gitlab/-/issues/378216 - Broken Link | |
| References | (MISC) https://hackerone.com/reports/1730461 - Permissions Required, Third Party Advisory |
12 Jan 2023, 04:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2023-01-12 04:15
Updated : 2023-12-10 14:48
NVD link : CVE-2022-3573
Mitre link : CVE-2022-3573
CVE.ORG link : CVE-2022-3573
JSON object : View
Products Affected
gitlab
- gitlab
abb
- drive_composer
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')