Summary:
When using the dropdown that selects the users that are allowed to approve a merge request, it is possible to trigger a XSS with a malicious user name string.
Description:
This vulnerability is similar to the recently announced CVE-2018-10379 (and another vulnerability I recently reported here in hackerone).
The steps to reproduce are fairly simple but there are some restrictions:
More information can be provided upon request.
Like the previous report I submitted, it is due to improper sanitization in a JS file. I believe this is the offending line: https://gitlab.com/gitlab-org/gitlab-ee/blob/master/ee/app/assets/javascripts/approvers_select.js#L134
The security impact is the same as any typical persistent xss.
The hacker selected the Cross-site Scripting (XSS) - Stored weakness. This vulnerability type requires contextual information from the hacker. They provided the following answers:
URL
https://gitlab.com/group/project/edit
Verified
Yes