Stored XSS in autocompletion functionality for issues and usernames
Update 1: The stored XSS does not only trigger when adding related issues but whenever an issue is autocompleted via #, e.g. in comments. (thanks @smcgivern for the heads-up)
Update 2: The stored XSS is also triggered for username autocompletion via @. (thanks @estrike for the heads-up)
Update 3: The stored XSS is also triggered for snippets autocompletion via $.
Update 4: The stored XSS is also triggered for epics autocompletion via & (when referencing an epic from another epic).
Title: Stored XSS in Issue Related Issue Tab
Scope: *.gitlab.com
Weakness: Cross-site Scripting (XSS) - Stored
Severity: High
Link: https://hackerone.com/reports/425064
Date: 2018-10-17 16:36:18 +0000
By: @ngalogSummary:
When you enter # in the related issue tab in https://gitlab.com/:project_id/issues/:id, if there is a issue with malicious xss payload in title, the xss will fire when the description is loaded
Steps To Reproduce:
- Go to a project that you have permission to add related issue, and try to add some dummy issues first
- Use any user account, create a new issue with title
Investigate vulnerability: in alpine:v3.4<img src=x onerror=alert(2)<img src=x onerror=alert(1)>, in that project - Now you can visit any other dummy issues, click the
+button, then enter#in the related tab - XSS pop up!
{F362082}
Impact
XSS
Edited by Jan Provaznik