Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #328389
Closed
Open
Issue created Apr 20, 2021 by GitLab SecurityBot@gitlab-securitybotReporter

Stored XSS in the Jira issue detail pages

HackerOne report #1132083 by thornguyen on 2021-03-22, assigned to @ngeorge1:

Report | Attachments | How To Reproduce

Report

Summary

I've found a stored XSS vulnerability in the Jira issue detail pages by exploiting Jira integration. Also, I was able to bypass CSP and gain full javascript execution under gitlab.com context.

Steps to reproduce
  1. Create a Mock API that response this payload payload.json when there are requests to path /rest/api/2/issue/POC?expand=renderedFields. You can use https://beeceptor.com/ like my POC video.

  2. In a GitLab project that has premium / ultimate license , go to Settings -> Integrations -> Jira:

  • Tick active at the Enable integration section
  • Input any URL at Web URL field
  • Input the mock API created in Step 1 to the Jira API URL field
  • Click Save changes
  1. Now go to https://gitlab.com/[YOUR_ORGANIZATION]/[YOUR_PROJECT]/-/integrations/jira/issues/POC and you will see a popup.
Impact

Stored-XSS allow attackers to perform arbitrary actions on behalf of victims at client side. And since the JIRA issue detail pages can be made public, this impact a considerable number of GitLab users and visitors.

Examples
  • [REDACTED] (tested in Chrome and Firefox)
What is the current bug behavior?

GitLab doesn't sanitize the key field in the JSON response from Jira API so it leads to stored XSS at the Jira issue detail pages.

[REDACTED]

POC Video

![REDACTED]

What is the expected correct behavior?

GitLab should sanitize key field in the JSON response from Jira API before output to browser.

Output of checks

This bug happens on GitLab.com

Impact

Stored-XSS allow attackers to perform arbitrary actions on behalf of victims at client side. And since the JIRA issue detail pages can be made public, this impact a considerable number of GitLab users and visitors.

Attachments

Warning: Attachments received through HackerOne, please exercise caution! [REDACTED]

How To Reproduce

Please add reproducibility information to this section:

Edited Jul 07, 2022 by Costel Maxim
Assignee
Assign to
Time tracking