CVE-2023-28158: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

March 29, 2023 (updated April 18, 2023)

Privilege escalation via stored XSS using the file upload service to upload malicious content. The issue can be exploited only by authenticated users which can create directory name to inject some XSS content and gain some privileges such admin user.

References

lists.apache.org/thread/8pm6d5y9cptznm0bdny3n8voovmm0dtt
nvd.nist.gov/vuln/detail/CVE-2023-28158

Code Behaviors & Features

Detect and mitigate CVE-2023-28158 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →