CVE-2019-19311

Vulnerability

GitLab EE versions 8.14 through 12.5, as well as 12.4.3 and 12.3.6, contain a stored cross-site scripting (XSS) vulnerability in group name and user full name fields. An attacker with the ability to create groups or edit their own profile can inject HTML/JavaScript payloads into the group name or user full name. These payloads are not sanitized before being rendered in issue pages, leading to execution when a victim views a group or issue associated with the manipulated data [1].

Exploitation

An authenticated attacker changes their full name or creates a group using a payload such as "> [1]. The attacker then creates an issue, assigns labels, and moves the issue to the crafted group. When any user, including the attacker, reloads the issue page, the injected script executes in the context of the victim's browser session [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser within the GitLab application context. This can result in session hijacking, credential theft, or unauthorized actions performed on behalf of the victim user. The attack does not require administrative privileges; only group creation or profile editing ability is needed [1].

Mitigation

GitLab addressed this issue in versions 12.5.1, 12.4.4, and 12.3.7, released on 2019-10-22 [1]. Users should upgrade to the latest patched version immediately. No workaround is provided in the available references [2]. The vulnerability is not listed on the CISA KEV as of the publication date [1][2].