CVE-2023-0523: 
GitLab vulnerability analysis and mitigation

An issue was discovered in GitLab affecting all versions starting from 15.6 before 15.8.5, 15.9 before 15.9.4, and 15.10 before 15.10.1. The vulnerability allowed a stored XSS attack via a malicious email address, which specifically affected administrators when attempting to impersonate accounts containing malicious payloads. This vulnerability was assigned CVE-2023-0523 and was discovered through GitLab's HackerOne bug bounty program (GitLab Release, CVE Mitre).

The vulnerability was introduced due to changes in the email confirmation warning system where HTML content was marked as safe using the .html_safe method. This vulnerability specifically manifested when the :soft_email_confirmation feature flag was enabled on self-managed instances. The issue received a CVSS v3.1 score of 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N), indicating medium severity (GitLab Release).

The vulnerability allowed attackers to inject arbitrary HTML content through email addresses, which would execute when administrators attempted to impersonate the affected accounts. This could lead to cross-site scripting attacks specifically targeting GitLab instance administrators. The HTML payload was not visible in the administrator's user management interface, making it difficult to detect malicious accounts before impersonation (GitLab Release).

The vulnerability was patched in GitLab versions 15.8.5, 15.9.4, and 15.10.1. Organizations running affected versions should upgrade to these patched versions immediately. GitLab.com was already running the patched version at the time of disclosure (GitLab Release).