CVE-2022-3573

MEDIUM EXPLOITED

GitLab CE/EE <15.5.7/<15.6.4/<15.7.2 - XSS

Title source: llm

Exploitation Summary

CVE-2022-3573 has been observed exploited in the wild (reported by VulnCheck KEV).

Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. Due to the improper filtering of query parameters in the wiki changes page, an attacker can execute arbitrary JavaScript on the self-hosted instances running without strict CSP.

References (3)

Core 3

Core References

Vendor Advisory

https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3573.json

Broken Link

https://gitlab.com/gitlab-org/gitlab/-/issues/378216

Permissions Required, Third Party Advisory

https://hackerone.com/reports/1730461

Scores

CVSS v3 5.4

EPSS 0.0133

EPSS Percentile 80.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

VulnCheck KEV 2025-01-15

CWE

CWE-79

Status published

Products (2)

abb/drive_composer < 2.8 (2 CPE variants)

gitlab/gitlab 15.4.0 - 15.5.7 (2 CPE variants)

Published Jan 12, 2023

Tracked Since Feb 18, 2026