GitLab CE/EE Cross-Site Scripting Vulnerability in User Profiles

A cross-site scripting (XSS) vulnerability has been identified in GitLab Community Edition (CE) and Enterprise Edition (EE) versions 17.7 prior to 17.8.6, 17.9 prior to 17.9.3, and 17.10 prior to 17.10.1. The issue arises from improper rendering of certain file types, which allows for the injection of malicious scripts that can be executed in the context of the user's profile.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, bypassing Content Security Policy (CSP) restrictions. This enables attackers to execute arbitrary actions on behalf of victims within their web browser.

Reproduction

To reproduce this vulnerability, create a public snippet containing a script tag with JavaScript code, such as an alert. Then, create a public project and add a README.adoc file. In this file, replace the 'data-calendar-activities-path' attribute with the raw URL of the snippet. After committing the file, visit the user's profile page and click on the contributions calendar to trigger the alert, demonstrating the XSS execution.

Remediation

Users can update to GitLab versions 17.8.6, 17.9.3, or 17.10.1, where this vulnerability has been fixed.