Stored XSS in issue pages
HackerOne report #877065 by mike12
on 2020-05-18, assigned to @cmaxim:
Hello Gitlab!
Steps to reproduce
- Run Gitlab
docker run --detach --hostname gitlab.example.com --publish 443:443 --publish 80:80 --publish 22:22 --name gitlab gitlab/gitlab-ce:latest
- Create a new Gitlab project
- Go to Issues->Milestones
- Create a new milestone with the following title:
<img alt="<x" title="/><img src=x onerror=alert(1)>">
- Go to Issues->List
- Create a new issue with the milestone created in step 4
- Collapse the right sidebar
- Hover over the milestone icon
My GitLab version
root@gitlab:/# gitlab-rake gitlab:env:info
System information
System:
Current User: git
Using RVM: no
Ruby Version: 2.6.5p114
Gem Version: 2.7.10
Bundler Version:1.17.3
Rake Version: 12.3.3
Redis Version: 5.0.7
Git Version: 2.26.2
Sidekiq Version:5.2.7
Go Version: unknown
GitLab information
Version: 12.10.6
Revision: 833223f2a7f
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 11.7
URL: http://gitlab.example.com
HTTP Clone URL: http://gitlab.example.com/some-group/some-project.git
SSH Clone URL: git@gitlab.example.com:some-group/some-project.git
Using LDAP: no
Using Omniauth: yes
Omniauth Providers:
GitLab Shell
Version: 12.2.0
Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories
GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
Git: /opt/gitlab/embedded/bin/git
Impact
An attacker can:
- Perform any action within the application that a user can perform
- Steal sensitive user data
- Steal user's credentials
Attachments
Warning: Attachments received through HackerOne, please exercise caution!