Stored XSS in issue pages

HackerOne report #877065 by mike12 on 2020-05-18, assigned to @cmaxim:

Hello Gitlab!

Steps to reproduce

1. Run Gitlab docker run --detach --hostname gitlab.example.com --publish 443:443 --publish 80:80 --publish 22:22 --name gitlab gitlab/gitlab-ce:latest
2. Create a new Gitlab project
3. Go to Issues->Milestones
4. Create a new milestone with the following title: <img alt="<x" title="/><img src=x onerror=alert(1)>">
5. Go to Issues->List
6. Create a new issue with the milestone created in step 4
7. Collapse the right sidebar
8. Hover over the milestone icon

My GitLab version

root@gitlab:/# gitlab-rake gitlab:env:info

System information  
System:		  
Current User:	git  
Using RVM:	no  
Ruby Version:	2.6.5p114  
Gem Version:	2.7.10  
Bundler Version:1.17.3  
Rake Version:	12.3.3  
Redis Version:	5.0.7  
Git Version:	2.26.2  
Sidekiq Version:5.2.7  
Go Version:	unknown

GitLab information  
Version:	12.10.6  
Revision:	833223f2a7f  
Directory:	/opt/gitlab/embedded/service/gitlab-rails  
DB Adapter:	PostgreSQL  
DB Version:	11.7  
URL:		http://gitlab.example.com  
HTTP Clone URL:	http://gitlab.example.com/some-group/some-project.git  
SSH Clone URL:	git@gitlab.example.com:some-group/some-project.git  
Using LDAP:	no  
Using Omniauth:	yes  
Omniauth Providers: 

GitLab Shell  
Version:	12.2.0  
Repository storage paths:  
- default: 	/var/opt/gitlab/git-data/repositories  
GitLab Shell path:		/opt/gitlab/embedded/service/gitlab-shell  
Git:		/opt/gitlab/embedded/bin/git  

Impact

An attacker can:

1. Perform any action within the application that a user can perform
2. Steal sensitive user data
3. Steal user's credentials

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• 2.png
• 1.png
• 3.png