Gitblit Reflected Cross-Site Scripting Vulnerability via Angular Template Injection

A reflected cross-site scripting vulnerability has been identified in Gitblit version 1.7.1, stemming from a template injection issue that allows authenticated administrators to execute arbitrary JavaScript in the application's context. The vulnerability arises in the 'r' parameter, where malicious Angular expressions can be injected. Exploitation can occur through GET requests to the summary endpoint or POST requests to certain Wicket interface endpoints, although the GET method is more easily weaponized. This flaw could lead to session hijacking, data theft, or further privilege escalation.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an authenticated administrator can execute arbitrary client-side code. This could result in session hijacking, data theft, or unauthorized privilege escalation.

Reproduction

To reproduce this vulnerability, send a GET request to the summary endpoint with a crafted 'r' parameter that includes a malicious Angular expression. Alternatively, a POST request can be made to specific Wicket interface endpoints, but this method is not as easily weaponized.