GMS-2022-6857: Stored XSS using uppercase characters in HTMLEditor
A malicious content author could add a Javascript payload to the href attribute of a link. A similar issue was identified and fixed via CVE-2022-28803. However, the fix didn’t account for the casing of the href attribute. An attacker must have access to the CMS to exploit this issue.
References
Detect and mitigate GMS-2022-6857 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →