Stored-XSS in user's profile page

⚠ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2371126 by yvvdwf on 2024-02-12, assigned to @cmaxim:

Report | How To Reproduce

Report

Hello,

Gitlab recently reorganized user's profile page:

###  https://gitlab.com/gitlab-org/gitlab/-/blob/2934d5a2a640d195cb0c8df6f3d22d373cc88799/app/views/users/show.html.haml#L115

 %div= sprintf(s_("UserProfile|Pronounced as: %{div_start}%{pronunciation}%{div_end}"), { pronunciation: [@]user.pronunciation, div_start: '<div class="gl-font-sm gl-text-secondary gl-display-inline-flex">', div_end: '</div>' }).html_safe   

This allows injecting any HTML tags in user' profile page via [@]user.pronunciation, thus leading to XSS.

Reproduce

• Login your account at https://gitlab.com
• Goto Edit Profile page at https://gitlab.com/-/user_settings/profile
• Fill Prononciation: XSS<i/class=hidden><form/class=gl-show-field-errors><input/title='<script>alert(document.domain)</script>'>
• Click Update profile settings
• View user' profile, e.g., https://gitlab.com/YOUR_USERNAME (please replace YOUR_USERNAME by your username)
• You should see an alert generated by alert(document.domain) above

Note: XSS can be achieved via Pronouns.

Impact

Stored-XSS with CSP-bypass allows attackers to execute arbitrary actions on behalf of victims at the client side.

What is the current bug behavior?

Pronunciation (and Pronouns) is not sanitized

Output of checks

This bug happens on GitLab.com

Impact

Stored-XSS with CSP-bypass allows attackers to execute arbitrary actions on behalf of victims at the client side.

How To Reproduce

Please add reproducibility information to this section: