Integrations are great for productivity — but they also open up new attack surfaces. In this case, a premium feature meant to pull in external issues from ZenTao into GitLab created a surprising vulnerability: an attacker-controlled API response leading to full cross-site scripting (XSS) on self-hosted GitLab instances.

This bug didn’t require a complex bypass or a deep exploit chain — just a clever payload injected into a seemingly trusted field, enabled by insufficient backend sanitization and the absence of a strict Content Security Policy (CSP).

The Vulnerability: XSS via ZenTao Issue Integration

GitLab’s premium integration with ZenTao allows users to display external ZenTao issues within GitLab. When a user visits an issue page like:

https://gitlab.example.com/group/project/-/integrations/zentao/issues/story-1

GitLab fetches the following from the ZenTao server:

https://zentao.example.net/api.php/v1/issues/story-1