CVE-2022-1948
HIGHGitLab 15.0 - Stored Cross-Site Scripting via Quick Actions Contact Details Injection
Title source: llmDescription
An issue has been discovered in GitLab affecting all versions starting from 15.0 before 15.0.1. Missing validation of input used in quick actions allowed an attacker to exploit XSS by injecting HTML in contact details.
References (3)
Core 3
Core References
Permissions Required x_refsource_misc
https://gitlab.com/gitlab-org/security/gitlab/-/issues/673
Permissions Required x_refsource_misc
https://hackerone.com/reports/1578400
Vendor Advisory x_refsource_confirm
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1948.json
Scores
CVSS v3
8.7
EPSS
0.0134
EPSS Percentile
80.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Details
CWE
CWE-79
Status
published
Products (1)
gitlab/gitlab
15.0.0 (2 CPE variants)
Published
Jul 28, 2022
Tracked Since
Feb 18, 2026