:warning: **Please read [the process](https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/security/developer.md) on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.** **[HackerOne report #2567533](https://hackerone.com/reports/2567533)** by `joaxcar` on 2024-06-20, assigned to @cmaxim: [Report](#report) | [Attachments](#attachments) | [How To Reproduce](#how-to-reproduce) ## Report #### Summary There is an HTML injection and XSS in the new https://gitlab.com/oauth/authorize page. Sorry for the sparse report. Found this when I was supposed to go to bed. The XSS outlined here will only trigger without CSP but I hope to be able to bypass it when I wake up #### Steps to reproduce 1. Go to https://gitlab.com/oauth/applications 2. Create a new application with the name `<img src=x onerror=alert(1)>` add the other fields. Redirect URL as `https://example.com` and scope as `api` 3. Click create, take note of the application ID 4. Now visit (replace APP ID) ``` https://gitlab.com/oauth/authorize?client_id=APP_ID&redirect_uri=https://example.com&response_type=code&scope=api ``` Open devtools and see the XSS blocked by CSP on gitlab.com, firing on self hosted  #### Impact Stored XSS #### What is the current *bug* behavior? Application name rendered without sanitization #### What is the expected *correct* behavior? Name should be sanitized. #### Output of checks This bug happens on GitLab.com #### Impact Stored XSS ## Attachments **Warning:** Attachments received through HackerOne, please exercise caution! * [Screenshot_2024-06-21_at_00.49.26.png](https://h1.sec.gitlab.net/a/fedf167d-2557-494d-8acc-296208999e5e/Screenshot_2024-06-21_at_00.49.26.png) ## How To Reproduce Please add [reproducibility information] to this section: 1. 1. 1. [reproducibility information]: https://about.gitlab.com/handbook/engineering/security/#reproducibility-on-security-issues