VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 4, 2021· Updated Aug 3, 2024

CVE-2021-22260

CVE-2021-22260

Description

A stored Cross-Site Scripting vulnerability in the DataDog integration in all versions of GitLab CE/EE starting from 13.7 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 allows an attacker to execute arbitrary JavaScript code on the victim's behalf

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

GitLab CE/EE 13.7–14.2.2 has a stored XSS in the DataDog integration, letting maintainers/owners execute arbitrary JavaScript on victims.

Vulnerability

A stored Cross-Site Scripting vulnerability exists in the DataDog integration of GitLab CE/EE versions starting from 13.7 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2. The bug is in the app/models/integrations/datadog.rb file, where the api_keys_url method constructs a URL using the datadog_site field without sanitization. This unsanitized value is then rendered in the help text of the API key field, allowing injection of arbitrary HTML/JavaScript [1].

Exploitation

An attacker needs maintainer or owner permissions over a project to access the DataDog integration settings page. The attacker sets the "Datadog site" field to a malicious payload such as "> and saves the configuration. The payload is stored and rendered unsanitized in the help text of the API key field. The attacker then sends a victim (another maintainer/owner) a link to /services/datadog/edit for that project; when the victim visits the page, the injected script executes in their browser context [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript code in the victim's browser, within the GitLab session. This can lead to session hijacking, data theft, or actions performed on behalf of the victim, with the full privileges of the victim user (maintainer or owner) [1].

Mitigation

GitLab fixed the vulnerability in versions 14.0.9, 14.1.4, and 14.2.2. Users should upgrade to one of these patched versions or later. No workaround is available for unpatched instances. The issue is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].

References
  1. Stored XSS in DataDog Integration affects maintainers/owners (#336614) · Issues · GitLab.org / GitLab · GitLab

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

4
  • GitLab Inc./GitLabllm-fuzzy2 versions
    >=13.7<14.0.9,>=14.1<14.1.4,>=14.2<14.2.2+ 1 more
    • (no CPE)range: >=13.7<14.0.9,>=14.1<14.1.4,>=14.2<14.2.2
    • (no CPE)range: >=13.7, <14.0.9
  • GitLab Inc./CE/EEllm-fuzzy
    Range: >=13.7<14.0.9,>=14.1<14.1.4,>=14.2<14.2.2
  • osv-coords
    pkg:bitnami/gitlab
    Range: >= 13.7.0, < 14.0.9

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing output sanitization of user-controlled `datadog_site` input when constructing the `api_keys_url` that is rendered in the integration settings form."

Attack vector

An attacker who is a maintainer or owner of a project navigates to the DataDog integration settings page and sets the "Datadog site" field to a malicious payload such as `">

Affected code

The vulnerability resides in `app/models/integrations/datadog.rb` [ref_id=1]. The `api_keys_url` method constructs a URL using user-supplied `datadog_site` input via `sprintf(URL_TEMPLATE_API_KEYS, datadog_site: datadog_site)`, and this unsanitized value is rendered in the `help` field of the integration settings form [ref_id=1].

What the fix does

The issue report does not include a published patch diff, but the remediation guidance is implicit in the vulnerability description: the `api_keys_url` output must be sanitized (HTML-escaped) before being interpolated into the `help` attribute string [ref_id=1]. Without sanitization, an attacker-controlled `datadog_site` value is rendered directly into the HTML, enabling stored XSS. No official fix is shown in the provided bundle.

Preconditions

  • authAttacker must have maintainer or owner permissions on the GitLab project to access the DataDog integration settings page
  • inputVictim must visit the DataDog integration edit page for the affected project

Reproduction

1. As a maintainer/owner, navigate to the DataDog integration settings page at `https://gitlab.com/:user:/:project:/-/services/datadog/edit`. 2. In the "Datadog site" field, enter the payload `">

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.