Stored XSS in Operation Page
HackerOne report #439446 by ngalog on 2018-11-12:
Summary: New feature introduced in latest version of gitlab instance, it has a operation setting page, and you can inject xss payload and turn it into a stored XSS
Steps To Reproduce:
Click save changes, alert box pops up
Although this xss is only visible to maintainer, anyone could be added to the malicious project as a maintainer.
Security issue: https://dev.gitlab.org/gitlab/gitlab-ee/issues/357