CVE-2021-39946

Description

Improper neutralization of user input in GitLab CE/EE versions 14.3 to 14.3.6, 14.4 to 14.4.4, and 14.5 to 14.5.2 allowed an attacker to exploit XSS by abusing the generation of the HTML code related to emojis

How to fix CVE-2021-39946

To remediate CVE-2021-39946, upgrade the affected package to a fixed version below.

Bitnami/gitlab—upgrade to 14.3.6 or later

Is CVE-2021-39946 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 14.3.0, < 14.3.6, >= 14.4.0, < 14.4.4, >= 14.5.0, < 14.5.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References (4)

WEBgitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39946.json
WEBgitlab.com/gitlab-org/gitlab/-/issues/345657
WEBhackerone.com/reports/1398305
WEBnvd.nist.gov/vuln/detail/CVE-2021-39946