Stored-XSS in user's profile page
HackerOne report #2371126 by yvvdwf
on 2024-02-12, assigned to @cmaxim:
Report
Hello,
Gitlab recently reorganized user's profile page:
### https://gitlab.com/gitlab-org/gitlab/-/blob/2934d5a2a640d195cb0c8df6f3d22d373cc88799/app/views/users/show.html.haml#L115
%div= sprintf(s_("UserProfile|Pronounced as: %{div_start}%{pronunciation}%{div_end}"), { pronunciation: [@]user.pronunciation, div_start: '<div class="gl-font-sm gl-text-secondary gl-display-inline-flex">', div_end: '</div>' }).html_safe
This allows injecting any HTML tags in user' profile page via [@]user.pronunciation
, thus leading to XSS.
Reproduce
- Login your account at https://gitlab.com
- Goto
Edit Profile
page at https://gitlab.com/-/user_settings/profile - Fill
Prononciation
:XSS<i/class=hidden><form/class=gl-show-field-errors><input/title='<script>alert(document.domain)</script>'>
- Click
Update profile settings
- View user' profile, e.g.,
https://gitlab.com/YOUR_USERNAME
(please replaceYOUR_USERNAME
by your username) - You should see an alert generated by
alert(document.domain)
above
Note: XSS can be achieved via Pronouns
.
Impact
Stored-XSS with CSP-bypass allows attackers to execute arbitrary actions on behalf of victims at the client side.
What is the current bug behavior?
Pronunciation
(and Pronouns
) is not sanitized
Output of checks
This bug happens on GitLab.com
Impact
Stored-XSS with CSP-bypass allows attackers to execute arbitrary actions on behalf of victims at the client side.
How To Reproduce
Please add reproducibility information to this section: