cve-2022-1948
Vulnerability from cvelistv5
Published
2022-07-28 14:46
Modified
2024-08-03 00:24
Severity
Summary
An issue has been discovered in GitLab affecting all versions starting from 15.0 before 15.0.1. Missing validation of input used in quick actions allowed an attacker to exploit XSS by injecting HTML in contact details.
References
| Source | URL | Tags |
|---|---|---|
| cve@gitlab.com | https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1948.json | Vendor Advisory |
| cve@gitlab.com | https://gitlab.com/gitlab-org/security/gitlab/-/issues/673 | Permissions Required |
| cve@gitlab.com | https://hackerone.com/reports/1578400 | Permissions Required |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:24:42.604Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gitlab.com/gitlab-org/security/gitlab/-/issues/673"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/1578400"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1948.json"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GitLab",
"vendor": "GitLab",
"versions": [
{
"status": "affected",
"version": "\u003e=15.0.0, \u003c15.0.1"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thanks cryptopone(https://hackerone.com/cryptopone) for reporting this vulnerability through our HackerOne bug bounty program"
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue has been discovered in GitLab affecting all versions starting from 15.0 before 15.0.1. Missing validation of input used in quick actions allowed an attacker to exploit XSS by injecting HTML in contact details."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027) in GitLab",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-28T14:46:01",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gitlab.com/gitlab-org/security/gitlab/-/issues/673"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/1578400"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1948.json"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@gitlab.com",
"ID": "CVE-2022-1948",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GitLab",
"version": {
"version_data": [
{
"version_value": "\u003e=15.0.0, \u003c15.0.1"
}
]
}
}
]
},
"vendor_name": "GitLab"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Thanks cryptopone(https://hackerone.com/cryptopone) for reporting this vulnerability through our HackerOne bug bounty program"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue has been discovered in GitLab affecting all versions starting from 15.0 before 15.0.1. Missing validation of input used in quick actions allowed an attacker to exploit XSS by injecting HTML in contact details."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027) in GitLab"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://gitlab.com/gitlab-org/security/gitlab/-/issues/673",
"refsource": "MISC",
"url": "https://gitlab.com/gitlab-org/security/gitlab/-/issues/673"
},
{
"name": "https://hackerone.com/reports/1578400",
"refsource": "MISC",
"url": "https://hackerone.com/reports/1578400"
},
{
"name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1948.json",
"refsource": "CONFIRM",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1948.json"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2022-1948",
"datePublished": "2022-07-28T14:46:01",
"dateReserved": "2022-05-31T00:00:00",
"dateUpdated": "2024-08-03T00:24:42.604Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2022-1948\",\"sourceIdentifier\":\"cve@gitlab.com\",\"published\":\"2022-07-28T15:15:07.600\",\"lastModified\":\"2022-08-04T14:37:47.570\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"An issue has been discovered in GitLab affecting all versions starting from 15.0 before 15.0.1. Missing validation of input used in quick actions allowed an attacker to exploit XSS by injecting HTML in contact details.\"},{\"lang\":\"es\",\"value\":\"Se ha detectado un problema en GitLab afectando a todas las versiones desde 15.0 hasta 15.0.1. Una falta de comprobaci\u00f3n de la entrada usada en las acciones r\u00e1pidas permit\u00eda a un atacante explotar una vulnerabilidad de tipo XSS al inyectar HTML en los datos de contacto\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7},{\"source\":\"cve@gitlab.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\",\"baseScore\":8.7,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":2.3,\"impactScore\":5.8}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gitlab:gitlab:15.0.0:*:*:*:community:*:*:*\",\"matchCriteriaId\":\"00FDE831-EC28-4124-AC9F-A1C089D5BBFA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gitlab:gitlab:15.0.0:*:*:*:enterprise:*:*:*\",\"matchCriteriaId\":\"E8953D9B-56DF-4AA2-BFDC-B28CF4F31CB5\"}]}]}],\"references\":[{\"url\":\"https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1948.json\",\"source\":\"cve@gitlab.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://gitlab.com/gitlab-org/security/gitlab/-/issues/673\",\"source\":\"cve@gitlab.com\",\"tags\":[\"Permissions Required\"]},{\"url\":\"https://hackerone.com/reports/1578400\",\"source\":\"cve@gitlab.com\",\"tags\":[\"Permissions Required\"]}]}}"
}
}
Loading...