CVE-2019-12442
Description
An issue was discovered in GitLab Enterprise Edition 11.7 through 11.11. The epic details page contained a lack of input validation and output encoding issue which resulted in a persistent XSS vulnerability on child epics.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Persistent XSS in GitLab EE epic details page allows attackers to inject arbitrary JavaScript via child epics.
Vulnerability
A persistent cross-site scripting (XSS) vulnerability exists in GitLab Enterprise Edition versions 11.7 through 11.11. The epic details page fails to properly validate user input and encode output when rendering child epics, allowing malicious script injection [2].
Exploitation
An authenticated attacker with the ability to create or edit child epics can inject arbitrary JavaScript into the epic name or description. When any user views the epic details page, the injected script executes in their browser session [2].
Impact
Successful exploitation enables arbitrary JavaScript execution in the context of the victim's browser. This can lead to session hijacking, data exfiltration, or unauthorized actions performed on behalf of the victim [2].
Mitigation
The vulnerability is fixed in GitLab EE version 11.11.1, released on June 3, 2019 [2]. Users should upgrade to 11.11.1 or later. No workaround is documented.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- GitLab/GitLab Enterprise Editiondescription
- Range: >=11.7 <11.11.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- about.gitlab.com/blog/categories/releases/mitrex_refsource_MISC
- about.gitlab.com/releases/2019/06/03/security-release-gitlab-11-dot-11-dot-1-released/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.