GitLab Cross-Site Scripting Vulnerability in Merge Request Error Messages

A cross-site scripting (XSS) vulnerability has been identified in GitLab's Enterprise Edition (EE) and Community Edition (CE) within the Application Security (AppSec) module. This issue affects all versions from 13.5.0 prior to 17.8.6, 17.9 prior to 17.9.3, and 17.10 prior to 17.10.1. The vulnerability arises from certain error messages in merge requests that could be manipulated to inject malicious HTML, which bypasses the Content Security Policy (CSP) and is executed in the context of the user.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can execute arbitrary actions on behalf of the victim within their browser.

Reproduction

To reproduce this vulnerability, import a GitLab project export containing a merge request into a new project. Modify the 'merge_error' field in the 'merge_requests.ndjson' file to include a crafted HTML link. After importing the project, change its visibility to public or invite a victim as a Developer member. The victim can then trigger the XSS by accessing the merge request and clicking the 'Add previously merged commits' button, which will execute the injected script.

Remediation

Users should update to GitLab versions 17.10.1 or later, where this vulnerability has been fixed.