Skip to content

A CSP-bypass XSS in user's profile page

⚠️ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2961854 by yvvdwf on 2025-01-28, assigned to @fvpotvin:

Report | Attachments | How To Reproduce

Report

Hi team,

I recently reported a XSS concerning asciidoctor render. Gitlab released a patch which effectually fixed the XSS presented in that report by eliminating data-lines-path DOM elements' attribute that was used to trigger XSS in snippet pages. However the accidoctor render in the profile page of users is still vulnerable when exploiting data-calendar-activities-path, thus it leads to a XSS.

Reproduce

The following steps are to reproduce in gitlab.com. They are used to create a XSS in the profile page of an user whose username is USER-A. Please replace this username by your username when reproducing.

Step 0.
  • create a public snippet within this content: <script>alert(document.domain)</script>
  • note its raw URL, for example: [redacted]

Example:
![redacted]

Step 1.

  • Objective is to create a public project containing a README.adoc to show in user profile page (see detail here).

  • if you already have a project at https://gitlab.com/USER-A/USER-A, then delete it or rename it to another name.

  • create a new blank project:

    • Project name: USER-A
    • Project URL: https://gitlab.com/USER-A
    • Project slug: USER-A
    • Visibility Level: Public
    • Project Configuration:
      • Initialize repository with a README: Uncheck

  • On the righ sidebar, click New file, you will be redirected to Gitlab IDE

    • Add new file README.adoc with the content in the attached file
    • Replace value of data-calendar-activities-path by the raw URL of the snippet created in Step 0
    • Commit the new file

Example:
![README.adoc.png]

Step 2.
  • Open the profile page of user USER-A, at https://gitlab.com/USER-A, (the page tooks at least 10 seconds to load)
  • Then click on the contributions calendar (see red zone in Figure below), you will see an alert

Example:
![click.png]

Impact

Stored-XSS with CSP-bypass allows attackers to execute arbitrary actions on behalf of victims at the client side.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section:

Edited by Costel Maxim