CVE-2022-2235
Description
Insufficient sanitization in GitLab EE's external issue tracker affecting all versions from 14.5 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker to perform cross-site scripting when a victim clicks on a maliciously crafted ZenTao link
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Insufficient sanitization in GitLab EE's ZenTao integration allows XSS via maliciously crafted issue data from an external ZenTao instance.
Vulnerability
GitLab EE's external issue tracker integration with ZenTao (a premium feature) does not properly sanitize data returned from the configured ZenTao API. Affected versions are 14.5 through 14.10.4, 15.0 through 15.0.3, and 15.1 through 15.1.0. When a user views a ZenTao issue, GitLab fetches issue details from the ZenTao instance and renders them without sufficient sanitization, allowing an attacker to inject malicious JavaScript [1].
Exploitation
An attacker must control the ZenTao instance configured in GitLab or be able to inject malicious content into the ZenTao API response (e.g., by compromising the ZenTao server or using a malicious instance). The victim must be a GitLab user with access to the project that has the ZenTao integration enabled. The attacker crafts a ZenTao issue with malicious JavaScript in fields such as title or desc. When the victim clicks on the issue link (e.g., /GROUP/PROJECT/-/integrations/zentao/issues/story-1), the malicious payload executes in the victim's browser [1].
Impact
Successful exploitation leads to cross-site scripting (XSS) in the context of the GitLab session. The attacker could steal session cookies, perform actions on behalf of the victim, or deface the page. The impact is limited to users who view the malicious issue [1].
Mitigation
Fixed in GitLab EE versions 14.10.5, 15.0.4, and 15.1.1. Users should upgrade to these versions or later. As a workaround, administrators can enforce a strict Content Security Policy (CSP) to mitigate XSS, but upgrading is recommended. The fix involves sanitizing the ZenTao API response fields [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: >=14.5, <14.10.5; >=15.0, <15.0.4; >=15.1, <15.1.1
- Range: >=14.5, <14.10.5
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing URL validation on the `web_url` field and insufficient HTML encoding on the `id` field in the ZenTao issue serializer allow injection of JavaScript URLs and arbitrary HTML."
Attack vector
An attacker configures a GitLab project to use a malicious ZenTao server as the external issue tracker. When a victim visits the ZenTao issue details page (e.g., `/-/integrations/zentao/issues/story-1`), GitLab fetches the issue from the attacker-controlled server. The attacker's API response returns a crafted JSON payload where `url` is set to `javascript:alert(document.domain)` and `id` contains an HTML injection like `
Affected code
The vulnerability lies in the ZenTao issue integration serializer at `ee/app/serializers/integrations/zentao_serializers/issue_entity.rb`. The `:web_url` expose block passes `item['url']` through without any URL validation, and the `:id` expose block uses `sanitize()` but does not HTML-encode the result [ref_id=1].
What the fix does
The advisory does not include a published patch diff. The expected remediation is to filter JavaScript URLs in the `:web_url` field and to HTML-encode the `:id` field so that injected HTML tags are rendered as text rather than executed [ref_id=1].
Preconditions
- configThe GitLab instance must be self-hosted (not GitLab.com) and must not have a strict Content Security Policy that blocks javascript: URLs.
- configThe attacker must be able to configure a project's ZenTao integration to point to a server they control, or they must be able to intercept/modify the API response from a legitimate ZenTao server.
- authThe victim must be logged into the GitLab instance and click the crafted breadcrumb link on the ZenTao issue details page.
Reproduction
1. On a self-hosted GitLab EE instance with a Premium subscription, log in as a user and create a new project. 2. Navigate to the project's ZenTao integration settings and configure the server URL to point to an attacker-controlled endpoint (e.g., `https://attacker.com`). 3. On the attacker-controlled server, serve the following JSON at `/api.php/v1/issues/story-1`: ```json {"issue":{"id":"
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2235.jsonmitrex_refsource_CONFIRM
- gitlab.com/gitlab-org/gitlab/-/issues/360540mitrex_refsource_MISC
- hackerone.com/reports/1542510mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.