XSS vulnerability in admin feature to send email notification
Summary
The /admin/email
endpoint is vulnerable to Cross Site Scripting (XSS) attack, as originally reported by @jbroullon in https://gitlab.com/gitlab-org/security/gitlab/merge_requests/50#note_271320217.
Steps to reproduce
- Log in as an admin
- Add a malicious script to a group name
- Open any group
- Select Settings > General in the left sidebar
- Add this to the "Group name":
<SCRIPT>alert('ATTACKED!')</SCRIPT>
- Click to "Save changes"
- Confirm the malicious script is executed on the "Send email notification" page
- Go to /admin/email
- Click the "Recipient group" dropdown input to open it
- See an alert appear with the text "ATTACKED!"
What is the current bug behavior?
User input is treated as trusted.
What is the expected correct behavior?
User input is not treated as trusted.
Relevant logs and/or screenshots
Similar to #30173 (closed) and #197302 (closed).
Output of checks
This bug happens on GitLab.com
Possible fixes
- Escape using
sanitizeItem()
- Escape before saving to the database (but there is strange behavior with this)
Edited by Jeremy Matos