A stored cross-site scripting vulnerability, one of the most impactful web risks, has been discovered in GitLab’s repository file viewer.
Security researcher kannthu found that the open-source repository management system was using an outdated version of Swagger UI to display open API specifications in repository files, reliant on a old version of the DOMPurify library.
This version failed to adequately sanitise malicious HTML attributes, so payloads could be embedded in openAPI files, which would then be executed when users viewed the file via GitLab’s interface.
The vulnerability earned kannthu a $2,000 bounty under GitLab report ID #1072868.
Kannthu has previously disclosed a JSON webhook injection and an RCE in the GitLab setting variable.