CVE-2022-1190: 
GitLab vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability was discovered in GitLab CE/EE versions 8.3 through 14.9.2, identified as CVE-2022-1190. The vulnerability was discovered on January 20, 2022, and patched in versions 14.7.7, 14.8.5, and 14.9.2 released on March 31, 2022. The issue affected both Community Edition (CE) and Enterprise Edition (EE) of GitLab, allowing attackers to exploit stored XSS by manipulating multi-word milestone references in issue descriptions and comments (GitLab Release, NVD).

The vulnerability stemmed from improper handling of user input in multi-word milestone references. The issue was rooted in the regular expression pattern that extracted String-based multi-word milestones, which had almost no restrictions. The vulnerable regex pattern '"^"+"' allowed for string-based multi-word milestones surrounded in quotes, making it possible to inject malicious content. The vulnerability received a CVSS v3.1 base score of 8.7 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N (GitLab Release).

The vulnerability allowed attackers to execute stored XSS attacks through milestone references in issue descriptions and comments. The attack could be spread to public project owners and maintainers through cross-project references and multi-word milestones. The stored XSS could potentially lead to session hijacking, credential theft, and other client-side attacks (GitLab Release).

GitLab addressed this vulnerability by releasing patched versions 14.7.7, 14.8.5, and 14.9.2. Users were strongly recommended to upgrade their GitLab installations to one of these versions immediately. GitLab.com was automatically updated to run the patched version (GitLab Release).