GitLab Stored XSS Vulnerability (CVE-2023-0050) – Description, Impact, and Fixes
A stored XSS vulnerability (CVE-2023-0050) in affected GitLab CE/EE versions allows attackers to execute arbitrary JavaScript via crafted Kroki diagrams, with a broad impact and remediation requiring upgrades to version 15.7.8 or later.
GitLab is a Git‑based integrated software development platform developed by GitLab Inc.
In certain affected GitLab versions, a stored cross‑site scripting (XSS) vulnerability exists because the Kroki filter does not strictly sanitize the received image_src parameter; an attacker can craft a malicious Kroki diagram that, when viewed, executes arbitrary JavaScript code.
Vulnerability Details
Vulnerability Name
GitLab Stored XSS Vulnerability
Vulnerability Type
Cross‑Site Scripting
Discovery Date
2023‑03‑03
Scope of Impact
Broad
MPS ID
MPS-2023-0208
CVE ID
CVE-2023-0050
CNVD ID
-
Affected Versions
GitLab CE@[13.7, 15.7.8)
GitLab CE@[15.8, 15.8.4)
GitLab CE@[15.9, 15.9.2)
GitLab EE@[15.9, 15.9.2)
GitLab EE@[15.8, 15.8.4)
GitLab EE@[13.7, 15.7.8)
Remediation
Upgrade the GitLab EE component to version 15.7.8 or later.
Upgrade the GitLab CE component to version 15.7.8 or later.
Upgrade the GitLab CE component to version 15.8.4 or later.
Upgrade the GitLab CE component to version 15.9.2 or later.
Upgrade the GitLab EE component to version 15.9.2 or later.
Upgrade the GitLab EE component to version 15.8.4 or later.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Laravel Tech Community
Specializing in Laravel development, we continuously publish fresh content and grow alongside the elegant, stable Laravel framework.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.