CVE-2023-2015: 
GitLab vulnerability analysis and mitigation

A reflected Cross-Site Scripting (XSS) vulnerability was discovered in GitLab CE/EE, identified as CVE-2023-2015. The vulnerability affects all versions starting from 15.8 before 15.10.8, all versions starting from 15.11 before 15.11.7, and all versions starting from 16.0 before 16.0.2. The issue was discovered in the Report Abuse functionality of GitLab, allowing attackers to perform arbitrary actions on behalf of victims (GitLab CVE, CVE Mitre).

The vulnerability exists in the Report Abuse functionality, specifically in the handling of the refurl parameter. When creating new abuse reports, the refurl parameter value was reflected without proper filtering or validation, allowing for script injection. The issue was particularly severe in self-hosted GitLab instances where Content Security Policy (CSP) protections might not be in place (GitLab Issue).

The exploitation of this vulnerability could lead to account takeover and allow attackers to perform unauthorized actions on behalf of the victim users. In self-hosted GitLab instances without CSP protection, the impact was more severe as the malicious JavaScript could execute without additional bypass requirements (GitLab Issue).

The vulnerability has been fixed in GitLab versions 15.10.8, 15.11.7, and 16.0.2. The fix involves proper validation of the ref_url parameter on the server side, allowing only http or https schemes, and implementing proper HTML encoding to prevent script injection (CVE Mitre).