CVE-2022-2865

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in GitLab CE/EE affecting all versions before 15.1.6, 15.2 to 15.2.4, and 15.3 prior to 15.3.2. The bug resides in the label color feature: when importing a project from GitHub, the label colors are not sanitized, allowing an attacker to inject malicious JavaScript that executes when a victim views the imported label [1].

Exploitation

Exploitation requires an attacker to set up a custom GitHub server that serves a repository with a crafted label color containing a JavaScript payload. The attacker then uses the GitLab API to import that repository into a GitLab project. The victim must have access to the project and view the label. The attacker needs to be able to initiate the import, which requires a GitLab personal access token with api scope [1].

Impact

Successful exploitation results in stored XSS on the client side. The attacker can perform arbitrary actions on behalf of the victim, including but not limited to exfiltration of session tokens, modification of page content, and performing actions as the victim within GitLab. Note that the vulnerability bypasses the Content Security Policy (CSP) [1].

Mitigation

GitLab has fixed the vulnerability in versions 15.3.2, 15.2.4, and 15.1.6 [1]. Users should upgrade to one of these patched versions immediately. No workaround is known for unpatched instances.