Stored XSS in the Jira issue detail pages
HackerOne report #1132083 by thornguyen on 2021-03-22, assigned to @ngeorge1:
Report | Attachments | How To Reproduce
Report
Summary
I've found a stored XSS vulnerability in the Jira issue detail pages by exploiting Jira integration. Also, I was able to bypass CSP and gain full javascript execution under gitlab.com context.
Steps to reproduce
-
Create a Mock API that response this payload
when there are requests to path /rest/api/2/issue/POC?expand=renderedFields. You can use https://beeceptor.com/ like my POC video. -
In a GitLab project that has premium / ultimate license , go to Settings -> Integrations -> Jira:
- Tick active at the Enable integration section
- Input any URL at Web URL field
- Input the mock API created in Step 1 to the Jira API URL field
- Click Save changes
- Now go to https://gitlab.com/[YOUR_ORGANIZATION]/[YOUR_PROJECT]/-/integrations/jira/issues/POC and you will see a popup.
Impact
Stored-XSS allow attackers to perform arbitrary actions on behalf of victims at client side. And since the JIRA issue detail pages can be made public, this impact a considerable number of GitLab users and visitors.
Examples
- [REDACTED] (tested in Chrome and Firefox)
What is the current bug behavior?
GitLab doesn't sanitize the key field in the JSON response from Jira API so it leads to stored XSS at the Jira issue detail pages.
[REDACTED]
POC Video
![REDACTED]
What is the expected correct behavior?
GitLab should sanitize key field in the JSON response from Jira API before output to browser.
Output of checks
This bug happens on GitLab.com
Impact
Stored-XSS allow attackers to perform arbitrary actions on behalf of victims at client side. And since the JIRA issue detail pages can be made public, this impact a considerable number of GitLab users and visitors.
Attachments
Warning: Attachments received through HackerOne, please exercise caution! [REDACTED]
How To Reproduce
Please add reproducibility information to this section: