Cross-Site Scripting Vulnerability in Gitpod by Gitpod.io
CVE-2023-32766

6.1MEDIUM

Key Information:

Vendor

Gitpod

Status
Gitpod
Vendor
CVE Published:
5 June 2023

What is CVE-2023-32766?

A vulnerability in Gitpod allows Cross-Site Scripting (XSS) due to improper handling of protocol redirection. Specifically, versions of Gitpod prior to 2022.11.3 expose users to XSS attacks as redirection can occur to protocols outside of the predefined trusted set, which includes vscode:, vscode-insiders:, and jetbrains-gateway:. This could permit malicious actors to exploit the system and compromise user security by injecting harmful scripts.

References

https://www.gitpod.io
https://github.com/gitpod-io/gitpod/commit/6771283c340658...
https://github.com/gitpod-io/gitpod/compare/release-2022....

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.