Summary: When using the dropdown that selects the users that are allowed to approve a merge request, it is possible to trigger a XSS with a malicious user name string.
Description: This vulnerability is similar to the recently announced CVE-2018-10379 (and another vulnerability I recently reported here in hackerone).
The steps to reproduce are fairly simple but there are some restrictions:
More information can be provided upon request.
The security impact is the same as any typical persistent xss.
The hacker selected the Cross-site Scripting (XSS) - Stored weakness. This vulnerability type requires contextual information from the hacker. They provided the following answers: