Stored XSS in maintenance mode banner message on instances without CSP

⚠ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2051381 by js_noob on 2023-07-05, assigned to @kmorrison1:

Report | Attachments | How To Reproduce

Report

Summary

Hello team, I've found a bug where it allows to save JS that gets executed on the users' end on every navigation. The JS code gets saved in maintenance mode banned message.

NOTE: I know that this requires admin permission for the whole instance, which is reflected in my CVSS calculation, but this shouldn't be allowed. The admin already has a way to impersonate users BUT this action is logged and is monitored by others, this bug allowed him to impersonate these users without any kind of monitoring. I've also tested almost every single "admin-only input" and none of them allow XSS, they're all filtered on the users' UI. As a result, I believe this is neither intended nor acceptable risk.

Steps to reproduce

1. Spin up your own GitLab instance
2. Navigate to https://gitlab-private.net/admin/application_settings/general, scroll down to Maintenance mode
3. Enable it and add the following content in the message input

<svg>  
   <script type="text/javascript">  
      alert(document.cookie);  
   </script>  
</svg>  

4. Signup as any other user, and verify that on every page load, an alert is fired

Examples

bandicam_2023-07-05_20-52-29-476.mp4

Output of checks

I believe this also happens on GitLab, but can't confirm.

Results of GitLab environment info

System information  
System:         Debian 11  
Proxy:          no  
Current User:   git  
Using RVM:      no  
Ruby Version:   3.0.6p216  
Gem Version:    3.4.13  
Bundler Version:2.4.14  
Rake Version:   13.0.6  
Redis Version:  6.2.11  
Sidekiq Version:6.5.7  
Go Version:     unknown

GitLab information  
Version:        16.1.1-ee  
Revision:       d3582d7719f  
Directory:      /opt/gitlab/embedded/service/gitlab-rails  
DB Adapter:     PostgreSQL  
DB Version:     13.11  
URL:            https://gitlab-xxxxxxxxx.net  
HTTP Clone URL: https://gitlab-xxxxxxxxx.net/some-group/some-project.git  
SSH Clone URL:  git@gitlab-xxxxxxxxx.net:some-group/some-project.git  
Elasticsearch:  no  
Geo:            no  
Using LDAP:     no  
Using Omniauth: yes  
Omniauth Providers: 

GitLab Shell  
Version:        14.23.0  
Repository storages:  
- default:      unix:/var/opt/gitlab/gitaly/gitaly.socket  
GitLab Shell path:              /opt/gitlab/embedded/service/gitlab-shell  

Impact

Stored XSS allows users to impersonate others, by running stored JS code which leads to stealing user's cookies.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• image.png
• bandicam_2023-07-05_20-52-29-476.mp4

How To Reproduce

Please add reproducibility information to this section: