CVE-2021-24323: Cross-site Scripting

May 17, 2021 (updated May 24, 2021)

When taxes are enabled, the Additional tax classes field was not properly sanitised or escaped before being output back in the admin dashboard, allowing high privilege users such as admin to use XSS payloads even when the unfiltered_html setting is disabled

References

nvd.nist.gov/vuln/detail/CVE-2021-24323

Code Behaviors & Features

Detect and mitigate CVE-2021-24323 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →