XSS On meta tags in profile page
G
GitLab
Submitted None
Actions:
Reported by
plazmaz
Vulnerability Details
Technical details and impact analysis
The profile page (https://gitlab.com/u/<user>) does not properly sanitize quotation marks, allowing for injection of attributes into the meta tags. This allows for redirection to phishing sites and other various nefarious things. I've managed to get my [profile page](https://gitlab.com/u/Plazmaz) to redirect to Bing by setting my bio to
`0;url=http://www.bing.com" http-equiv="refresh`
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Submitted
Weakness
Cross-site Scripting (XSS) - Generic