Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in GitLab CE/EE versions starting from 16.9 before 16.9.1. The user profile page fails to sanitize the pronunciation and pronouns fields, allowing injection of arbitrary HTML and JavaScript. The issue is rooted in the use of html_safe on a string that includes user-supplied content [1].

Exploitation

An authenticated attacker can edit their profile and insert a crafted payload into the pronunciation or pronouns fields (e.g., ``). After saving, any other user who views the attacker's profile will execute the payload in their browser. No special privileges or user interaction beyond viewing the profile are required [1].

Impact

Successful exploitation results in a stored XSS with a Content Security Policy (CSP) bypass, enabling the attacker to perform arbitrary actions on behalf of the victim at the client side. This includes stealing session cookies, exfiltrating sensitive data, or performing actions as the victim [1].

Mitigation

The vulnerability is fixed in GitLab version 16.9.1. All instances running 16.9.0 should upgrade immediately. No workarounds are documented. This CVE is not listed in the known exploited vulnerabilities (KEV) catalog.