CVE-2022-3513

Description

An issue has been discovered in GitLab affecting all versions starting from 12.8 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. A specially crafted payload could lead to a reflected XSS on the client side which allows attackers to perform arbitrary actions on behalf of victims on self-hosted instances running without strict CSP.

How to fix CVE-2022-3513

To remediate CVE-2022-3513, upgrade the affected package to a fixed version below.

—upgrade to 15.8.5 or later

Is CVE-2022-3513 being exploited?

Moderate — EPSS is 27.5%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

>= 12.8.0, < 15.8.5, >= 15.9.0, < 15.9.4, >= 15.10.0, < 15.10.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (4)

WEBgitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3513.json
WEBgitlab.com/gitlab-org/gitlab/-/issues/377970
WEBhackerone.com/reports/1728015
WEBnvd.nist.gov/vuln/detail/CVE-2022-3513