**[HackerOne report #1090634](https://hackerone.com/reports/1090634)** by `andor404` on 2021-01-30, assigned to @ankelly: [Report](#report) | [Attachments](#attachments) ## Report ### Summary Hello GitLab Team, I found a payload for the "Full name" field of the user profile page which leads to hyperlink injection in the breadcrumb navigation of the user's projects. ### Steps to reproduce 1. In the user profile page change the username of the "Full name" field to: <a href="//example.com">New Username<a> 2. If there isn't already a project under the user's namespace, create a new one. 3. Browse to any project of the user. 4. The user's namespace text in the breadcrumb navigation has now changed to "New Username". If clicked, it will open http://example.com/ and not the user's profile page. ### Impact An attacker could create a malicious clone of the GitLab login page which hijacks account credentials. If a user clicks the malicious link and tries to login to the attacker's fake site, their credentials could be captured by the attacker. ### Examples [REDACTED] ### What is the current *bug* behavior? The namespace text of the breadcrumb navigation will be overwritten with a clickable link to an external website. ### What is the expected *correct* behavior? It should not be possible to change the breadcrumb navigation hyperlink and point it to an external website. ### Output of checks This bug happens on GitLab.com #### Results of GitLab environment info System information System: Kali 2020.3 Proxy: no Current User: git Using RVM: no Ruby Version: 2.7.2p137 Gem Version: 3.1.4 Bundler Version:2.1.4 Rake Version: 13.0.3 Redis Version: 5.0.9 Git Version: 2.29.0 Sidekiq Version:5.2.9 Go Version: unknown GitLab information Version: 13.8.1-ee Revision: e10a21e66ce Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: PostgreSQL DB Version: 12.4 URL: http://gitlab.local HTTP Clone URL: http://gitlab.local/some-group/some-project.git SSH Clone URL: git@gitlab.local:some-group/some-project.git Elasticsearch: no Geo: no Using LDAP: no Using Omniauth: yes Omniauth Providers: GitLab Shell Version: 13.15.0 Repository storage paths: default: /var/opt/gitlab/git-data/repositories GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell Git: /opt/gitlab/embedded/bin/git #### Impact An attacker could create a phishing site which looks like a valid GitLab login page to steal valid credentials of other GitLab users. ## Attachments **Warning:** Attachments received through HackerOne, please exercise caution! [REDACTED]