CVE-2019-12442: 
GitLab vulnerability analysis and mitigation

An issue was discovered in GitLab Enterprise Edition versions 11.7 through 11.11. The vulnerability involves a persistent Cross-Site Scripting (XSS) vulnerability on the epic details page due to insufficient input validation and output encoding when handling child epics (GitLab Release, NVD).

The vulnerability is classified as a Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 Base Score of 6.1 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) and CVSS v2.0 Base Score of 4.3 MEDIUM (Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N). The vulnerability stems from improper neutralization of input during web page generation, specifically on the epic details page when handling child epics (NVD).

The vulnerability allows attackers to execute persistent cross-site scripting attacks through child epics, potentially leading to unauthorized access to sensitive information and manipulation of web content. The impact is considered moderate as it requires user interaction and results in limited confidentiality and integrity breaches (NVD).

The issue has been fixed in the latest release. GitLab strongly recommends that all installations running affected versions be upgraded to the latest version immediately. The vulnerability affects GitLab EE 11.7 and later versions up to 11.11 (GitLab Release).

The vulnerability was responsibly reported by security researcher @near_, and GitLab acknowledged their contribution in the security release announcement (GitLab Release).