CVE-2021-22185: 
GitLab vulnerability analysis and mitigation

A stored cross-site scripting (XSS) vulnerability was discovered in GitLab versions 13.8 and above, identified as CVE-2021-22185. The vulnerability was disclosed on March 24, 2021, and affects both GitLab Community Edition (CE) and Enterprise Edition (EE). The issue stems from insufficient input sanitization in the wiki functionality (GitLab Release, NVD).

The vulnerability is classified as a stored XSS vulnerability (CWE-79) that occurs due to improper neutralization of input during web page generation. The CVSS v3.1 base score is 5.4 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The CVSS v2.0 score is 3.5 (Low) with the vector (AV:N/AC:M/Au:S/C:N/I:P/A:N) (NVD).

The vulnerability allows an attacker to exploit a stored cross-site scripting vulnerability through a specially-crafted commit to a wiki. This could potentially lead to the execution of malicious scripts in the context of other users' browsers who view the affected wiki pages (GitLab Release).

GitLab addressed this vulnerability in versions 13.9.2, 13.8.5, and 13.7.8. Organizations running affected versions are strongly recommended to upgrade to these patched versions immediately. The fix was released on March 4, 2021, as part of a security release (GitLab Release).

The vulnerability was reported through GitLab's HackerOne bug bounty program by researcher @yvvdwf. GitLab acknowledged and addressed the vulnerability promptly through their security release process (GitLab Release).