############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: GitLab CE+EE # Vendor: GitLab Inc. # CSNC ID: CSNC-2017-033 # Subject: Cross-Site Scripting # Risk: Medium # Effect: Remotely exploitable # Author: Sylvain Heiniger # Date: 2018-01-09 # ############################################################# Introduction: ------------- GitLab [1] is a web-based Git repository manager with wiki and issue tracking features, using an open source license, developed by GitLab Inc. Compass Security discovered a web application security flaw in the comment editing functionality that allows an authenticated user to execute JavaScript code when editing and saving a comment. This may allow to redirect a user editing a comment to a phishing page and gather credentials. Affected: --------- Vulnerable: * 10.0.0–10.0.6, 10.1.0–10.1.4, 10.2.0–10.2.3 Not vulnerable: * 10.2.4, 10.1.5, and 10.0.7 Technical Description --------------------- The Cross-Site Scripting is triggered on the client-side when a user edits a comment and clicks on the submit button. Upon doing that, the input in the comment text area is interpreted as HTML/JavaScript before it gets submitted to the server where it is correctly encoded and stored. Workaround / Fix: ----------------- Apply the provided patches. Timeline: --------- 2018-01-09: Public disclosure by Compass Security 2017-12-08: Release of fixed Version / Patch [2] 2017-11-30: Initial vendor response 2017-11-30: Initial vendor notification 2017-11-30: Discovery by Sylvain Heiniger References: ----------- [1] https://about.gitlab.com/ [2] https://about.gitlab.com/2017/12/08/gitlab-10-dot-2-dot-4-security-release/