CVE-2023-2015
Description
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.8 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A reflected XSS was possible when creating new abuse reports which allows attackers to perform arbitrary actions on behalf of victims.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A reflected XSS in GitLab's abuse report functionality allows attackers to execute arbitrary actions on behalf of victims.
Vulnerability
A reflected cross-site scripting (XSS) vulnerability exists in the abuse report functionality of GitLab CE/EE. The ref_url parameter in the /-/abuse_reports/new endpoint is reflected without proper sanitization, allowing injection of arbitrary JavaScript. This affects all versions starting from 15.8 before 15.10.8, all versions starting from 15.11 before 15.11.7, and all versions starting from 16.0 before 16.0.2 [1].
Exploitation
An attacker can craft a malicious URL containing a javascript: scheme in the ref_url parameter (e.g., javascript:alert(44);/...) and send it to a victim. The victim must be logged into GitLab and click the "Cancel" button on the abuse report form. On self-hosted instances without Content Security Policy (CSP), the injected script executes directly. On GitLab SaaS, CSP may block execution, but the script still runs in the browser console [1].
Impact
Successful exploitation allows the attacker to perform arbitrary actions on behalf of the victim, including account takeover, data exfiltration, and unauthorized operations within the victim's session [1].
Mitigation
GitLab has released fixed versions: 15.10.8, 15.11.7, and 16.0.2. Users should upgrade to these versions or later. No workaround is available; upgrading is the only mitigation [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: >=15.8, <15.10.8 || >=15.11, <15.11.7 || >=16.0, <16.0.2
- Range: > 15.8, <15.10.8
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `ref_url` parameter in the Report Abuse functionality is reflected with no filtering or validation, allowing arbitrary `javascript:` URI injection."
Attack vector
An attacker crafts a URL such as `https://gitlab.com/-/abuse_reports/new?ref_url=javascript:alert(44);/...&user_id=
Affected code
The vulnerability resides in the Report Abuse functionality at the URL path `/-/abuse_reports/new`. The `ref_url` query parameter is reflected back to the user without any server-side validation or HTML encoding [ref_id=1].
What the fix does
The advisory recommends that the `ref_url` parameter should be validated on the server side to allow only `http` or `https` schemes, and that HTML encoding should be applied to prevent script injection [ref_id=1]. No patch diff is included in the bundle, but the expected fix is to reject non-http/https schemes and encode the output.
Preconditions
- inputVictim must be logged into GitLab (self-hosted or SaaS) and click the crafted link, then click the 'Cancel' button on the abuse report form.
- configOn self-hosted GitLab instances, no CSP protection is present, so the XSS executes directly. On GitLab SaaS, CSP blocks execution but the script may still appear in the console.
Reproduction
1. Create two GitLab accounts (Victim and Attacker) and note their user IDs. 2. Craft the URL: `https://YOUR-HOST/-/abuse_reports/new?ref_url=javascript:alert(44);/%2Froot%2Fvictim-project1%2F-%2Fsnippets%2F3%23note_125&user_id=
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
1- GitLab Security Release: 16.0.2, 15.11.7, and 15.10.8GitLab Security Releases · Jun 5, 2023