CVE-2019-5467
Description
An input validation and output encoding issue was discovered in the GitLab CE/EE wiki pages feature which could result in a persistent XSS. This vulnerability was addressed in 12.1.2, 12.0.4, and 11.11.6.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored XSS vulnerability in GitLab CE/EE wiki pages allows attackers to execute arbitrary JavaScript via crafted wiki links.
Vulnerability
A persistent cross-site scripting (XSS) vulnerability exists in the wiki pages feature of GitLab Community Edition (CE) and Enterprise Edition (EE) prior to versions 12.1.2, 12.0.4, and 11.11.6. The issue arises from improper input validation and output encoding when handling wiki-specific hierarchical link Markdown. An attacker can create a wiki page with a specially crafted link that, when clicked, executes arbitrary JavaScript in the context of the victim's session [1].
Exploitation
To exploit this vulnerability, an attacker must have permission to edit wiki pages on a GitLab project. The attacker creates a new wiki page with a page slug containing javascript: and a markdown link such as `XSS;). The . in the link is converted to javascript:, resulting in an href of javascript:alert(1);`. When another user clicks the crafted link, the JavaScript is executed [1].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the browser of any user who clicks the malicious wiki link. This can lead to session hijacking, data theft, or other malicious actions performed under the identity of the victim, compromising the confidentiality and integrity of the GitLab instance [1].
Mitigation
GitLab addressed this vulnerability in versions 12.1.2, 12.0.4, and 11.11.6, released on September 9, 2019. Users should upgrade to one of these patched versions or later. No workaround is available, as the issue is inherent to the wiki rendering logic [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- GitLab/CE/EE wiki pagesdescription
- Range: < 12.1.2, < 12.0.4, < 11.11.6
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing output encoding of Wiki-specific hierarchical link Markdown allows an attacker to inject arbitrary URI schemes (e.g. `javascript:`) into rendered href attributes."
Attack vector
An authenticated attacker with permission to edit Wiki pages creates a new page using a page slug or title that contains a dangerous URI scheme (e.g. `javascript:`) and a Markdown link such as `[XSS](.alert(1);)` [ref_id=1]. GitLab's Wiki-specific Markdown processor converts the dot (`.`) to the scheme string (e.g. `javascript:`) and the link text to the payload, producing an href attribute like `javascript:alert(1);` [ref_id=1]. When any user clicks the rendered link, the browser executes the attacker's JavaScript in the context of the GitLab session, achieving stored cross-site scripting [CWE-79]. The attack requires no special privileges beyond the ability to create or edit Wiki pages in a project the victim can access [ref_id=1].
Affected code
The vulnerability exists in GitLab's Wiki page Markdown rendering pipeline, specifically in the handling of Wiki-specific hierarchical link syntax (e.g. `.` and `..` relative links) [ref_id=1]. The issue was present in GitLab CE/EE versions prior to 12.1.2, 12.0.4, and 11.11.6 [ref_id=1]. The exact file paths are not specified in the advisory.
What the fix does
The advisory does not include a patch diff, but the fix was released in GitLab versions 12.1.2, 12.0.4, and 11.11.6 [ref_id=1]. The remediation must ensure that Wiki-specific hierarchical link Markdown is properly sanitized so that dangerous URI schemes such as `javascript:`, `data:`, and `vbscript:` are filtered or rejected before being rendered into href attributes [ref_id=1]. The fix should also validate page slugs and titles to prevent them from being interpreted as URI schemes during Markdown processing [ref_id=1].
Preconditions
- authAttacker must have an authenticated GitLab account with permission to create or edit Wiki pages in a project.
- inputThe victim must visit the Wiki page and click the crafted malicious link.
- configThe Wiki page must be accessible to the victim (project visibility and Wiki permissions must allow access).
Reproduction
1. Sign in to GitLab and open a Project page where you have permission to edit Wiki pages. 2. Open the Wiki and click "New page". 3. Fill out "Page slug" with `javascript:` and click "Create page". 4. Set Title to `javascript:`, Format to `Markdown`, and Content to `[XSS](.alert(1);)`. 5. Click "Create page". 6. Click the "XSS" link in the created page — the alert dialog appears [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- gitlab.com/gitlab-org/gitlab-ce/issues/60143mitrex_refsource_CONFIRM
- hackerone.com/reports/526325mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.