Stored XSS in Shared runners text
HackerOne report #1174942 by solov9ev
on 2021-04-26, assigned to GitLab Team:
Report | Attachments | How To Reproduce
Report
Summary
Hi, Security Team!
I found stored xss when the user fills in the text "Shared runners text".
Steps to reproduce
- Run Gitlab
docker run --detach --hostname gitlab.example.com --publish 443:443 --publish 80:80 --publish 22:22 --name gitlab gitlab/gitlab-ce:latest
(GitLab Community Edition 13.11.1
) - Go to
/admin/application_settings/ci_cd#js-ci-cd-settings
- Insert the malicious payload in the
Shared runners text
box :<img src=1 onerror=confirm(document.cookie)>
- And then go to the settings of the group or project (
/group-1/project-1/-/settings/ci_cd
) in the sectionSettings -> CI/CD
Vulnerable piece of code that displays a value:
= markdown_field(Gitlab::CurrentSettings.current_application_settings, :shared_runners_text)
But elsewhere, for example, in the description of the help page, the malicious load is already being processed:
I understand that you need to have administrator access to inject a malicious load. However, in conjunction with social engineering, implementation can be achieved.
Thank you!
Impact
With this vulnerability, an attacker can for example steal users cookies or redirect users on malicious website.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: