CVE-2022-1940
Description
A Stored Cross-Site Scripting vulnerability in Jira integration in GitLab EE affecting all versions from 13.11 prior to 14.9.5, 14.10 prior to 14.10.4, and 15.0 prior to 15.0.1 allows an attacker to execute arbitrary JavaScript code in GitLab on a victim's behalf via specially crafted Jira Issues
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in GitLab Jira integration via unsanitized Jira issue titles allows arbitrary JavaScript and POST requests.
Vulnerability
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Jira integration feature of GitLab EE affecting all versions from 13.11 prior to 14.9.5, 14.10 prior to 14.10.4, and 15.0 prior to 15.0.1. The issue resides in the rendering of Jira issue titles on the GitLab Jira issue details page. When a Jira issue is created with a title containing HTML or JavaScript, the title is not properly HTML-encoded when displayed in GitLab, allowing the injected markup to be executed in the context of the victim's browser [1]. The feature must be configured (project connected to a Jira tracker) for the code path to be reachable.
Exploitation
An attacker with the ability to create or modify a Jira issue title (i.e., having write access to the connected Jira project) can inject arbitrary HTML and JavaScript into the title field [1]. When a GitLab user views the corresponding Jira issue details page (e.g., https://gitlab.com/GROUPNAME/PROJECTNAME/-/integrations/jira/issues/ISO-1), the malicious payload is rendered without sanitization. An attacker can abuse script gadgets and browser quirks to escalate the injection into sending arbitrary POST requests on behalf of the victim [1]. No authentication beyond Jira write access is required; the victim simply needs to navigate to the affected page.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser within the GitLab session context. This can lead to sending arbitrary POST requests, potentially enabling account takeover of OAuth/SAML accounts or creation of admin accounts, granting the attacker full control over the GitLab instance [1]. The impact includes disclosure of sensitive data, privilege escalation, and full compromise of the affected GitLab instance.
Mitigation
GitLab has addressed this vulnerability in versions 14.9.5, 14.10.4, and 15.0.1. Users should upgrade to one of these patched versions or later [1]. No workarounds have been provided; upgrading is the only mitigation. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of publication.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: >=13.11, <14.9.5, >=14.10, <14.10.4, >=15.0, <15.0.1
- Range: >=13.11, <14.9.5
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing HTML sanitization of the Jira issue title field when rendered via Vue's `v-safe-html` attribute allows stored cross-site scripting."
Attack vector
An attacker with access to a Jira server connected to a GitLab EE project creates a Jira issue whose title contains HTML payload (limited to 255 characters). When a victim views the Jira issue detail page in GitLab, the title is rendered unsanitized via `v-safe-html`, allowing HTML and CSS injection [ref_id=1]. The attacker uses a `js-feature-highlight` gadget combined with a `data-dismiss-endpoint` attribute to forge an arbitrary POST request (e.g., changing the victim's password or creating an admin user) [ref_id=1]. A browser caching quirk (using `history.back()`) ensures the payload executes on the second visit, and full CSS control makes the overlay link nearly impossible to avoid clicking [ref_id=1].
Affected code
The Jira integration detail page at `/-/integrations/jira/issues/ISO-1` renders the Jira issue title via Vue's `v-safe-html` attribute without proper HTML encoding [ref_id=1]. The title field of Jira issue pages is the vulnerable code path; the data is fetched asynchronously and inserted into the DOM after the initial page load [ref_id=1].
What the fix does
The advisory does not include a published patch diff, but the issue report states the fix should sanitize the Jira issue title before rendering it in the detail page [ref_id=1]. The expected correct behavior is that the name/title field should be shown sanitized rather than passed through `v-safe-html` [ref_id=1]. No patch content is available in the bundle to analyze further.
Preconditions
- configThe target GitLab EE project must have the Jira integration enabled and configured to display Jira issues
- authThe attacker must have access to a Jira server that is connected to the victim's GitLab project
- authThe victim must be a member of the GitLab project (or the project must be public) and visit the malicious Jira issue detail page
- inputThe victim must use a browser that caches XHR responses and supports the history.back() caching quirk (Chrome and Firefox confirmed)
Reproduction
1. As attacker, create a premium GitLab group and project, then enable the Jira integration following the guide at https://docs.gitlab.com/ee/integration/jira/issues.html#view-jira-issues. 2. In Jira, create a task with the title: `
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1940.jsonmitrex_refsource_CONFIRM
- gitlab.com/gitlab-org/gitlab/-/issues/359142mitrex_refsource_MISC
- hackerone.com/reports/1533976mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.