CVE-2021-39885

Опубликовано: 04 окт. 2021

Источник: nvd

CVSS3: 8.7

CVSS3: 5.4

CVSS2: 3.5

EPSS Низкий

Описание

A Stored XSS in merge request creation page in all versions of Gitlab EE starting from 13.7 before 14.1.7, all versions starting from 14.2 before 14.2.5, and all versions starting from 14.3 before 14.3.1 allows an attacker to execute arbitrary JavaScript code on the victim's behalf via malicious approval rule names

Ссылки

https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39885.json
Vendor Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/341140
Exploit
Issue Tracking
Vendor Advisory
https://hackerone.com/reports/1342009
Exploit
Permissions Required
Third Party Advisory
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39885.json
Vendor Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/341140
Exploit
Issue Tracking
Vendor Advisory
https://hackerone.com/reports/1342009
Exploit
Permissions Required
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Версия от 13.7.0 (включая) до 14.1.7 (исключая)

cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Версия от 14.2.0 (включая) до 14.2.5 (исключая)

cpe:2.3:a:gitlab:gitlab:14.3.0:*:*:*:enterprise:*:*:*

EPSS

Процентиль: 44%

0.00217

Низкий

8.7 High

CVSS3

5.4 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79

Связанные уязвимости

CVE-2021-39885

CVSS3: 8.7

ubuntu

больше 4 лет назад

CVE-2021-39885

CVSS3: 8.7

debian

больше 4 лет назад

A Stored XSS in merge request creation page in all versions of Gitlab ...

GHSA-cvqc-8rrv-whf2

CVSS3: 5.4

github

больше 3 лет назад

A Stored XSS in merge request creation page in Gitlab EE version 13.5 and above allows an attacker to execute arbitrary JavaScript code on the victim's behalf via malicious approval rule names

EPSS

Процентиль: 44%

0.00217

Низкий

8.7 High

CVSS3

5.4 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79