Stored XSS in merge request because of target branch
HackerOne report #1030189 by ashish_r_padelkar
on 2020-11-09, assigned to @kaunghtet:
Report | Attachments | How To Reproduce
Report
Summary
Hello,
I Found a stored XSS in merge request which triggers for everyone in public project as merge requests are available for everyone. Currently Gitlab.com is prevented because of CSP.
Steps to reproduce
- Create a file at
-/new/master/
and inTarget Branch
section put branch name as XSS payload"><img/src='x'onerror=prompt(1)>
. - Create a merge request now at
/-/merge_requests/new
. SelectTarget Branch
as above branch with XSS payload and create a merge request. - As soon as you create merge request, you should see below button
- Click on
Merge Immediately
- It will create a pipeline and appears as a note which triggers this XSS
Output of checks
This bug happens on GitLab.com
Regards,
Ashish
Impact
Stored XSS in merge request
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section:
Edited by Kaung Htet Aung