CVE-2022-1175

HIGH

Gitlab < 14.7.7 - XSS

Title source: rule

Description

Improper neutralization of user input in GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 allowed an attacker to exploit XSS by injecting HTML in notes.

Exploits (2)

exploitdb WORKING POC

by Greenwolf · textwebappsruby

https://www.exploit-db.com/exploits/50889

View Code ZIP pw:eip

nomisec WORKING POC 1 stars

by Greenwolf · poc

https://github.com/Greenwolf/CVE-2022-1175

View Code ZIP pw:eip

References (4)

[Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/166829/Gitlab-14.9-Cross-Site-Scripting.html

[Vendor Advisory] https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1175.json

[Broken Link] https://gitlab.com/gitlab-org/gitlab/-/issues/353370

[Permissions Required, Third Party Advisory] https://hackerone.com/reports/1481207

Scores

CVSS v3 8.7

EPSS 0.1032

EPSS Percentile 93.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Details

CWE

CWE-79

Status published

Products (1)

gitlab/gitlab 14.4.0 - 14.7.7 (2 CPE variants)

Published Apr 04, 2022

Tracked Since Feb 18, 2026