CVE-2023-0050

HIGH

GitLab 13.7-15.7.7, 15.8-15.8.3, 15.9-15.9.1 - Stored Cross-Site Scripting via Kroki Diagram

Title source: llm

Description

An issue has been discovered in GitLab affecting all versions starting from 13.7 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. A specially crafted Kroki diagram could lead to a stored XSS on the client side which allows attackers to perform arbitrary actions on behalf of victims.

References (3)

Core 3

Core References

Vendor Advisory

https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-0050.json

Broken Link

https://gitlab.com/gitlab-org/gitlab/-/issues/387023

Permissions Required

https://hackerone.com/reports/1731349

Scores

CVSS v3 8.7

EPSS 0.5651

EPSS Percentile 98.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

gitlab/gitlab 13.7 - 15.7.8 (2 CPE variants)

Published Mar 09, 2023

Tracked Since Feb 18, 2026