CVE-2023-2442

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in GitLab CE/EE versions 15.11 before 15.11.7 and 16.0 before 16.0.2. The flaw resides in the merge_requests_helper.rb file where the source_branch attribute is marked as html_safe and interpolated into a string without sanitization [1]. An attacker can create a branch with a malicious name containing HTML and JavaScript, which is then rendered unsanitized when a merge request is viewed.

Exploitation

To exploit, an attacker must be a GitLab user with the ability to create merge requests. The attacker forks a public project, pushes a branch with a crafted name containing an XSS payload (e.g., ``), and creates a merge request from that branch to the original project. When any user views the merge request page, the malicious script executes in the context of the victim's session [1].

Impact

Successful exploitation results in stored XSS, allowing the attacker to perform arbitrary actions on behalf of the victim, including data exfiltration, session hijacking, and unauthorized operations within the GitLab instance.

Mitigation

The issue is fixed in GitLab versions 15.11.7 and 16.0.2. Users should upgrade to these or later versions immediately. No workaround is available for unpatched instances.