GitLab HTML Injection Vulnerability in Child Item Search Leading to Cross-Site Scripting

A vulnerability exists in GitLab Community Edition (CE) and Enterprise Edition (EE) versions 16.6 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1. This vulnerability allows an attacker to inject HTML into the child item search on the issue page, potentially leading to cross-site scripting (XSS) in certain situations. The issue arises because user-controlled content is sent directly into a component that renders HTML, bypassing security measures that are supposed to sanitize such input.

Impact

Exploitation of this vulnerability allows for HTML injection, which can be used to execute scripts in the context of the user viewing the injected content, leading to cross-site scripting (XSS) attacks.

Reproduction

To reproduce this vulnerability, create a new group and subgroup, then upload a malicious SVG file containing JavaScript into a project within the subgroup. Afterward, create an issue in a different project and inject the SVG file reference into a task name. When the issue is viewed, the injected script will execute, demonstrating the XSS vulnerability.

Remediation

Users can update to GitLab versions 17.8.4 or 17.9.1 to address this vulnerability.