CVE-2023-2015

MEDIUM

GitLab 15.8-15.10.8, 15.11-15.11.7, 16.0-16.0.2 - Reflected Cross-Site Scripting via Abuse Report Creation

Title source: llm

Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.8 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A reflected XSS was possible when creating new abuse reports which allows attackers to perform arbitrary actions on behalf of victims.

References (3)

Core 3

Core References

Vendor Advisory

https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-2015.json

Broken Link

https://gitlab.com/gitlab-org/gitlab/-/issues/407137

Permissions Required, Third Party Advisory

https://hackerone.com/reports/1941091

Scores

CVSS v3 4.4

EPSS 0.0810

EPSS Percentile 92.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

gitlab/gitlab 15.8.0 - 15.10.8 (2 CPE variants)

Published Jun 07, 2023

Tracked Since Feb 18, 2026