Stored XSS in Operation Page

HackerOne report #439446 by ngalog on 2018-11-12:

Summary: New feature introduced in latest version of gitlab instance, it has a operation setting page, and you can inject xss payload and turn it into a stored XSS

Steps To Reproduce:

Visit https://gitlab.com/:project_namespace/settings/operations

Jaeger URL: https://replaceme.com/'><script>alert(document.cookie)</script> Click save changes, alert box pops up

Although this xss is only visible to maintainer, anyone could be added to the malicious project as a maintainer.

Impact

stored xss

Fix

Security issue: https://dev.gitlab.org/gitlab/gitlab-ee/issues/357

Edited Nov 16, 2018 by Reuben Pereira