{"id":"CVE-2021-22223","details":"Client-Side code injection through Feature Flag name in GitLab CE/EE starting with 11.9 allows a specially crafted feature flag name to PUT requests on behalf of other users via clicking on a link","aliases":["BIT-gitlab-2021-22223"],"modified":"2026-04-09T07:26:30.604814Z","published":"2021-07-06T22:15:08.407Z","references":[{"type":"ADVISORY","url":"https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22223.json"},{"type":"REPORT","url":"https://gitlab.com/gitlab-org/gitlab/-/issues/293946"},{"type":"REPORT","url":"https://hackerone.com/reports/1059557"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://gitlab.com/gitlab-org/gitlab","events":[{"introduced":"a1a60e9f753f4e99f2b13b24028a6092a897cc06"},{"fixed":"c97463266eba228cdd87a62b1289bf372c1b3866"},{"introduced":"a1a60e9f753f4e99f2b13b24028a6092a897cc06"},{"fixed":"c97463266eba228cdd87a62b1289bf372c1b3866"},{"introduced":"12a3ec8fb4a540576b2d47247bc86ea7e2c7565b"},{"fixed":"088a665feba19e15cff694d69fc920197286678b"},{"introduced":"12a3ec8fb4a540576b2d47247bc86ea7e2c7565b"},{"fixed":"088a665feba19e15cff694d69fc920197286678b"},{"introduced":"0034acfc891b0cbc2ecc4aa4c5ca0d1f89e3c32f"},{"fixed":"2504e045362c0930170ea2f9bfd0d1e4d143a817"},{"introduced":"0034acfc891b0cbc2ecc4aa4c5ca0d1f89e3c32f"},{"fixed":"2504e045362c0930170ea2f9bfd0d1e4d143a817"}],"database_specific":{"versions":[{"introduced":"13.9.0"},{"fixed":"13.11.6"},{"introduced":"13.9.0"},{"fixed":"13.11.6"},{"introduced":"13.12.0"},{"fixed":"13.12.6"},{"introduced":"13.12.0"},{"fixed":"13.12.6"},{"introduced":"14.0.0"},{"fixed":"14.0.2"},{"introduced":"14.0.0"},{"fixed":"14.0.2"}]}}],"versions":["v13.12.0-ee","v13.12.1-ee","v13.12.3-ee","v13.12.4-ee","v13.12.5-ee","v14.0.0-ee","v14.0.1-ee"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-22223.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}