CVE-2022-3265

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in GitLab CE/EE in the labels colour feature, specifically affecting scoped labels (labels with a :: prefix). This is a bypass of a prior fix (HackerOne report #1665658) that addressed XSS via regular labels. All versions prior to 15.3.5, 15.4.4, and 15.5.2 are affected [1]. The vulnerability allows an attacker to inject arbitrary HTML/JavaScript into the label color field, which is later rendered unsanitized in the user interface.

Exploitation

An attacker must have the ability to create or edit labels on a project (typically maintainer or owner role). Using the GitLab API (e.g., with a personal access token scoped to api), the attacker can set a label’s color to a payload such as "> for scoped labels like attack::label. When a victim views any project page that displays that label (e.g., an issue or merge request), the XSS payload executes in the victim’s browser context [1]. No user interaction beyond viewing the page is required.

Impact

Successful exploitation results in stored XSS, allowing the attacker to execute arbitrary JavaScript in the victim’s session. This can lead to theft of session cookies, CSRF tokens, or perform actions on behalf of the victim, such as modifying project settings, creating issues, or exfiltrating sensitive data [1]. The attack runs on the victim’s client side and can bypass Content Security Policy (CSP) as noted in the report.

Mitigation

GitLab has addressed this vulnerability in versions 15.3.5, 15.4.4, and 15.5.2 (released September 2022) by properly sanitizing label color inputs for scoped labels [1]. Users should upgrade to one of these fixed versions immediately. No workaround is available; enabling CSP alone is insufficient as the XSS payload is able to bypass it. GitLab does not list this CVE in CISA KEV.