Main Vulnerability Database Vulnerabilities #VU30750

Cross-site scripting in Gitlab Community Edition - CVE-2019-15739

Published: September 16, 2019 / Updated: July 17, 2020

Vulnerability identifier: #VU30750

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2019-15739

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: GitLab, Inc

Affected software:
Gitlab Community Edition

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

An issue was discovered in GitLab Community and Enterprise Edition 8.1 through 12.2.1. Certain areas displaying Markdown were not properly sanitizing some XSS payloads.

How to mitigate CVE-2019-15739

Install update from vendor's website.

Sources

https://about.gitlab.com/2019/08/29/security-release-gitlab-12-dot-2-dot-3-released/
https://gitlab.com/gitlab-org/gitlab-ce/issues/64033

Cross-site scripting in Gitlab Community Edition - CVE-2019-15739

Detailed vulnerability description

How to mitigate CVE-2019-15739

Sources

Please verify you're human