In Gitlab 15.0.0 a new Customer Relations feature was added that allows us to use quick actions to find the contact we wish to select.
However, I noticed that if I set the contact’s first name or last name to <script>alert(document.domain)</script> we can get the XSS to trigger when we are attempting to use the quick commands to add/remove a contact.
<script>alert(document.domain)</script>
” and “Last name” set to “<script>alert(document.domain)</script>
”. Provide an email address and save your changes.Users attempting to utilize the quick commands /add_contacts or /remove_contacts could inadvertently trigger XSS while attempting to add/remove a customer to an issue.
This bug was discovered originally on my self-hosted 15.0.0 but is reproducible on gitlab.com.
Create a contact with the payload in firstname and lastname fields
{F1740002}
Create a new issue and type “/add_contacts” in the markdown text area to trigger the popup to appear
{F1740003}
Press enter, which will trigger the XSS when attempting to load the list of contacts
{F1740004}
The HTML special characters are not escaped, allowing an iframe to be injected into the page with XSS.
The HTML special characters would be escaped and shown in the diagram.
This bug is reproducible on Gitlab.com
System: Ubuntu 20.04
Proxy: no
Current User: git
Using RVM: no
Ruby Version: 2.7.5p203
Gem Version: 3.1.4
Bundler Version:2.2.33
Rake Version: 13.0.6
Redis Version: 6.2.6
Sidekiq Version:6.4.0
Go Version: unknown
GitLab information
Version: 15.0.0-ee
Revision: 3b397c17532
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 12.10
URL: http://gitlab-pentest4.example.com
HTTP Clone URL: http://gitlab-pentest4.example.com/some-group/some-project.git
SSH Clone URL: git@gitlab-pentest4.example.com:some-group/some-project.git
Elasticsearch: no
Geo: no
Using LDAP: no
Using Omniauth: yes
Omniauth Providers:
GitLab Shell
Version: 14.3.0
Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories
GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell```
## Impact
JavaScript execution as the authenticated user when the user attempts to add or remove a contact for the new customer relations feature.