CVE-2019-5471

MEDIUM

GitLab 11.11.0-11.11.6 - Stored Cross-Site Scripting in Email Notification Feature

Title source: llm

Description

An input validation and output encoding issue was discovered in the GitLab email notification feature which could result in a persistent XSS. This was addressed in GitLab 12.1.2, 12.0.4, and 11.11.6.

References (3)

Core 3

Core References

Exploit, Third Party Advisory x_refsource_misc

https://hackerone.com/reports/496973

Exploit, Vendor Advisory x_refsource_confirm

https://gitlab.com/gitlab-org/gitlab-ee/issues/11515

Broken Link, Vendor Advisory

https://about.gitlab.com/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/

Scores

CVSS v3 5.4

EPSS 0.0007

EPSS Percentile 21.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

gitlab/gitlab 11.11.0 - 11.11.7 (2 CPE variants)

Published Sep 09, 2019

Tracked Since Feb 18, 2026