GitLab Stored XSS Vulnerability (CVE-2023-0050) – Description, Impact, and Fixes
A stored XSS vulnerability (CVE-2023-0050) in affected GitLab CE/EE versions allows attackers to execute arbitrary JavaScript via crafted Kroki diagrams, with a broad impact and remediation requiring upgrades to version 15.7.8 or later.
GitLab is a Git‑based integrated software development platform developed by GitLab Inc.
In certain affected GitLab versions, a stored cross‑site scripting (XSS) vulnerability exists because the Kroki filter does not strictly sanitize the received image_src parameter; an attacker can craft a malicious Kroki diagram that, when viewed, executes arbitrary JavaScript code.
Vulnerability Details
Vulnerability Name
GitLab Stored XSS Vulnerability
Vulnerability Type
Cross‑Site Scripting
Discovery Date
2023‑03‑03
Scope of Impact
Broad
MPS ID
MPS-2023-0208
CVE ID
CVE-2023-0050
CNVD ID
-
Affected Versions
GitLab CE@[13.7, 15.7.8)
GitLab CE@[15.8, 15.8.4)
GitLab CE@[15.9, 15.9.2)
GitLab EE@[15.9, 15.9.2)
GitLab EE@[15.8, 15.8.4)
GitLab EE@[13.7, 15.7.8)
Remediation
Upgrade the GitLab EE component to version 15.7.8 or later.
Upgrade the GitLab CE component to version 15.7.8 or later.
Upgrade the GitLab CE component to version 15.8.4 or later.
Upgrade the GitLab CE component to version 15.9.2 or later.
Upgrade the GitLab EE component to version 15.9.2 or later.
Upgrade the GitLab EE component to version 15.8.4 or later.
Laravel Tech Community
Specializing in Laravel development, we continuously publish fresh content and grow alongside the elegant, stable Laravel framework.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.