:warning: **Please read [the process](https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/security/engineer.md) on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.** **[HackerOne report #2961854](https://hackerone.com/reports/2961854)** by `yvvdwf` on 2025-01-28, assigned to @fvpotvin: [Report](#report) | [Attachments](#attachments) | [How To Reproduce](#how-to-reproduce) ## Report Hi team, I recently reported a [XSS concerning asciidoctor render](https://hackerone.com/reports/2922313). Gitlab released a [patch](https://about.gitlab.com/releases/2025/01/22/patch-release-gitlab-17-8-1-released/) which effectually fixed the XSS presented in that report by [eliminating](https://gitlab.com/gitlab-org/gitlab/-/commit/fca347dbd3660d89b1a58d39e1cf4ce680363988#d4735e0517aeea0dcd79269bcb59e2815f85f67b_102_102) `data-lines-path` DOM elements' attribute that was used to trigger XSS in snippet pages. However the accidoctor render in the profile page of users is still vulnerable when exploiting `data-calendar-activities-path`, thus it leads to a XSS. #### Reproduce The following steps are to reproduce in gitlab.com. They are used to create a XSS in the profile page of an user whose username is `USER-A`. Please replace this username by your username when reproducing. ##### Step 0. - create a public snippet within this content: `<script>alert(document.domain)</script>` - note its raw URL, for example: `[redacted]` Example: ![redacted] ##### Step 1. - Objective is to create a public project containing a README.adoc to show in user profile page (see detail [here](https://docs.gitlab.com/ee/user/profile/#add-details-to-your-profile-with-a-readme)). - if you already have a project at `https://gitlab.com/USER-A/USER-A`, then delete it or rename it to another name. - create a new blank project: + Project name: `USER-A` + Project URL: `https://gitlab.com/USER-A` + Project slug: `USER-A` + Visibility Level: `Public` + Project Configuration: - Initialize repository with a README: Uncheck - On the righ sidebar, click `New file`, you will be redirected to Gitlab IDE + Add new file `README.adoc` with the content in the attached file + Replace value of `data-calendar-activities-path` by the raw URL of the snippet created in Step 0 + Commit the new file Example: ![README.adoc.png] ##### Step 2. - Open the profile page of user `USER-A`, at `https://gitlab.com/USER-A`, (the page tooks at least 10 seconds to load) - Then click on the contributions calendar (see red zone in Figure below), you will see an alert Example: ![click.png] #### Impact Stored-XSS with CSP-bypass allows attackers to execute arbitrary actions on behalf of victims at the client side. ## Attachments **Warning:** Attachments received through HackerOne, please exercise caution! ## How To Reproduce Please add [reproducibility information] to this section: 1. 1. 1. [reproducibility information]: https://about.gitlab.com/handbook/engineering/security/#reproducibility-on-security-issues