CVE-2022-39207 is a Cross-Site Scripting (XSS) vulnerability affecting versions of OneDev prior to 7.3.0. OneDev is an open-source, self-hosted Git server that integrates CI/CD and Kanban functionalities. The vulnerability arises because build artifacts generated during CI/CD processes are served by the OneDev webserver in the same context as the user interface without proper content sanitization or restrictions. Specifically, if an attacker can inject HTML or JavaScript code into a build artifact, this malicious content will be rendered by the victim's browser when accessing the artifact via the OneDev web UI. Since most cookies (except the rememberMe cookie) lack the HttpOnly flag, the injected script can steal session cookies, enabling session hijacking and impersonation of the victim user. Exploitation requires the attacker to have the ability to modify the build specification to insert malicious content into artifacts, which typically implies some level of access to the project’s build configuration. Additionally, exploitation requires user interaction, as the victim must click on a crafted link to trigger the XSS payload. The vulnerability is particularly dangerous when targeting administrators of OneDev instances because admins can create Server Shell Executors, which allow arbitrary command execution on the server. This elevates the risk from client-side session theft to full server compromise. The issue was patched in OneDev version 7.3.0, and no effective workarounds exist. No known exploits have been reported in the wild to date.

For European organizations using OneDev versions prior to 7.3.0, this vulnerability poses a significant risk to both confidentiality and integrity. Attackers who can inject malicious artifacts may steal session cookies of users, including administrators, leading to unauthorized access and potential privilege escalation. The ability for admins to execute arbitrary commands on the server via Server Shell Executors means that a successful attack could result in full system compromise, data theft, or disruption of CI/CD pipelines. This could impact software development workflows, delay deployments, and expose sensitive source code or build artifacts. Given the self-hosted nature of OneDev, organizations with lax access controls or insufficient monitoring are particularly vulnerable. The requirement for user interaction and modification of build specs somewhat limits the attack surface but does not eliminate risk, especially in environments with multiple contributors or less stringent code review processes. The lack of HttpOnly flags on most cookies exacerbates the risk of session hijacking. Overall, the vulnerability could lead to operational disruption, intellectual property loss, and reputational damage for European enterprises relying on OneDev for software development and delivery.

The primary mitigation is to upgrade all OneDev instances to version 7.3.0 or later, where this vulnerability is patched. Since no effective workarounds exist, patching is critical. Additionally, organizations should implement strict access controls on who can modify build specifications to reduce the risk of artifact injection. Enforcing code review policies and CI/CD pipeline security best practices can help prevent unauthorized or malicious build spec changes. Network segmentation and limiting administrative access to OneDev servers reduce exposure. Enabling HttpOnly flags on all session cookies would mitigate session theft risks; if this is not configurable, consider deploying a web application firewall (WAF) with rules to detect and block XSS payloads targeting OneDev endpoints. Monitoring logs for unusual artifact uploads or access patterns can aid in early detection. Finally, educating users about the risks of clicking untrusted links related to build artifacts can reduce the likelihood of successful exploitation.