A new security vulnerability has been identified in GitLab Community Edition (CE) and Enterprise Edition (EE), affecting various versions dating back to 10.. The vulnerability has been assigned as CVE-2023-3500. This vulnerability allows an attacker to perform a Reflected Cross-Site Scripting (XSS) attack via specific PlantUML diagrams created within GitLab.
To demonstrate the potential impact of this vulnerability, let's consider the following example. An attacker creates a PlantUML diagram as follows:
@startuml !pragma teoz true skinparam monochrome true <title> <script>alert('XSS')</script> </title> @enduml