CVE-2021-22238: 
GitLab vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability was discovered in GitLab (CVE-2021-22238) affecting all versions starting from 13.3. The vulnerability existed in the design feature within issues, where GitLab was susceptible to stored XSS attacks (MITRE CVE, GitLab Advisory).

The vulnerability received a CVSS v3.1 base score of 5.4 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The issue was related to the DesignReferenceFilter in markdown processing, where the link_reference_pattern allowed special characters in filenames, potentially breaking out of href attributes. The vulnerability was classified as CWE-79 (Cross-site Scripting) (Ubuntu CVE, NVD).

The vulnerability could allow attackers to execute arbitrary JavaScript code in the context of other users' browsers when they view affected markdown content. This could potentially be used to create and exfiltrate API tokens with full access, targeting both individuals and specific projects (GitLab Issue).

The vulnerability affects GitLab versions from 13.3 and was addressed in versions 13.12.9, 14.0.7, and 14.1.2. Users are advised to upgrade to these or later versions to mitigate the vulnerability (Debian Tracker).