CVE-2022-1175

Description

Improper neutralization of user input in GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 allowed an attacker to exploit XSS by injecting HTML in notes.

How to fix CVE-2022-1175

To remediate CVE-2022-1175, upgrade the affected package to a fixed version below.

Bitnami/gitlab—upgrade to 14.7.7 or later

Is CVE-2022-1175 being exploited?

Moderate — EPSS is 10.3%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

>= 14.4.0, < 14.7.7, >= 14.8.0, < 14.8.5, >= 14.9.0, < 14.9.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (5)

WEBpacketstormsecurity.com/files/166829/Gitlab-14.9-Cross-Site-Scripting.html
WEBgitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1175.json
WEBgitlab.com/gitlab-org/gitlab/-/issues/353370
WEBhackerone.com/reports/1481207