Stored XSS in user status

HackerOne report #461607 by ashish_r_padelkar on 2018-12-13:

Summary: Hello,

I found a stored XSS in user status which executes on issues, merge requests etc

Description: If you add your status with xss payload at https://gitlab.com/profile as "><img src=x onerror=prompt(1)> , it executes when you comment in issues merge request etc

Steps To Reproduce:

Save your status at https://gitlab.com/profile as "><img src=x onerror=prompt(1)>
Comment on any issue,merge request etc
Now hover over your name and it will open a tool tip where this status xss gets executed!

Regards, Ashish

Impact

Stored XSS in user status

Relevant Links

Security issue - https://dev.gitlab.org/gitlab/gitlabhq/issues/2786

Edited Jan 23, 2019 by Dennis Tang