Stored XSS on the job page
HackerOne report #856554 by mike12
on 2020-04-22:
Hello Gitlab!
Steps to reproduce:
-
Run Gitlab
docker run --detach --hostname gitlab.example.com --publish 443:443 --publish 80:80 --publish 22:22 --name gitlab gitlab/gitlab-ce:latest
-
Create a new project with README.md
-
Go to Operations->Kubernetes
- Click on the "Add Kubernetes cluster" button
- Select the "Add existing cluster" tab
- Kubernetes cluster name: cluster-example
- API URL: https://google.com
- Service Token: token-example
- Uncheck the "GitLab-managed cluster" checkbox
- Click on the "Add Kubernetes cluster" button
-
Add ".gitlab-ci.yml" file to the repository (to the master branch)
deploy: stage: deploy script: - echo "Example" environment: name: production url: https://google.com kubernetes: namespace: <img src=x onerror=alert(1)> only: - master
Vulnerable code
All vulnerable code is in one file environments_block.vue
Impact
An attacker can:
- Perform any action within the application that a user can perform
- Steal sensitive user data
- Steal user's credentials
Attachments
Warning: Attachments received through HackerOne, please exercise caution!