Stored XSS on Issue details page
Link: https://hackerone.com/reports/384255
By: @8ayac
Details: Summary: The detail page of Issue (the page that provides the content of an Issue) is vulnerable to Stored XSS.
Description:
The two exploits are via the function of submittin an issue or the function of editing an issue.
This vulnerability is reproduced in Firefox
andChrome
. IE11
andEdge
are not. I did not test the reproduction on other browsers.
Steps To Reproduce:
- Sign in to GitLab.
- Click the "[+]" icon.
- Click "New Project".
- Fill out "Project name" form with "PoC".
- Check the check box of "Public".
- Click "Issues"
- Click "New issue" button.
- Fill out the each form as follows:
- Title: PoC
- Description:
![xss" onload=alert(1);//](a)
- Click "Submit issue".
Furthermore, when editing an already existing issue, you can also reproduce by entering A in the "Description" form and saving it.
Impact
The security impact is the same as any typical Stored XSS.
Thank you!