Loading HuntDB...

Vulnerability Intelligence by wss.sh

Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News

More Sources

HackerOne Reports

Bug bounty disclosures

WordPress Vulnerabilities

WordPress plugins & themes

Tools & Data

Trending Insights

Popular vulnerabilities

Advanced Search

Filter & search CVEs

Product Inventory

Software & vendors

Sign In Sign Up

GitLab - HackerOne Reports

View on HackerOne

247

Total Reports

33

Critical

70

High

86

Medium

41

Low

Ability To Delete User(s) Account Without User Interaction

Reported by: hx01 | Disclosed:

High

Weakness: Misconfiguration

[RDoc] XSS in project README files

Reported by: ysx | Disclosed:

Medium

Weakness: Cross-site Scripting (XSS) - Generic

Stored XSS in main page of a project caused by arbitrary script payload in group "Default initial branch name"

Reported by: joaxcar | Disclosed:

High

Weakness: Cross-site Scripting (XSS) - Stored

Bounty: $3000.00

Blocked user Git access through CI/CD token

Reported by: logan5 | Disclosed:

Medium

Weakness: Improper Access Control - Generic

Bounty: $1500.00

Able to view hackerone reports attachments

Reported by: sateeshn | Disclosed:

Critical

Weakness: Insecure Storage of Sensitive Information

GFM renderer leaks external issue tracker URL of private project

Reported by: jobert | Disclosed:

Weakness: Information Disclosure

Stored XSS for Grafana dashboard URL

Reported by: xanbanx | Disclosed:

High

Weakness: Cross-site Scripting (XSS) - Stored

CSP-bypass XSS in project settings page

Reported by: yvvdwf | Disclosed:

High

Weakness: Cross-site Scripting (XSS) - Generic

Sending Arbitrary Requests through Jupyter Notebooks on gitlab.com and Self-Hosted GitLab Instances

Reported by: iwis | Disclosed:

Medium

Weakness: Command Injection - Generic

GitLab-Runner on Windows `DOCKER_AUTH_CONFIG` container host Command Injection

Reported by: ajxchapman | Disclosed:

High

Weakness: OS Command Injection

RepositoryPipeline allows importing of local git repos

Reported by: vakzz | Disclosed:

Medium

Weakness: Improper Access Control - Generic

Bounty: $22300.00

Stored-XSS on wiki pages

Reported by: yvvdwf | Disclosed:

Medium

Weakness: Cross-site Scripting (XSS) - Stored

RCE via unsafe inline Kramdown options when rendering certain Wiki pages

Reported by: vakzz | Disclosed:

Critical

Weakness: Code Injection

Bounty: $20000.00

Local files could be overwritten in GitLab, leading to remote command execution

Reported by: saltyyolk | Disclosed:

Critical

Weakness: Command Injection - Generic

Bounty: $12000.00

Dependecy Confusion via Lookup Request Forwarding to PyPi.org

Reported by: usd-responsible-disclosure | Disclosed:

Weakness: Misconfiguration

Impersonation attack via Broken Link in Resellers Page

Reported by: cdl | Disclosed:

Low

Weakness: Violation of Secure Design Principles

SafeParamsHelper::safe_params is not so safe

Reported by: vakzz | Disclosed:

High

Weakness: Cross-site Scripting (XSS) - Reflected

Bounty: $4000.00

Attacker is able to create,Edit & delete notes and leak the title of a victim's private personal snippet

Reported by: cryptopone | Disclosed:

Medium

Weakness: Insecure Direct Object Reference (IDOR)

Bounty: $1730.00

Command injection by overwriting authorized_keys file through GitLab import

Reported by: jobert | Disclosed:

Critical

Weakness: Command Injection - Generic

Bounty: $2000.00

Blind SSRF in FogBugz project import

Reported by: mike12 | Disclosed:

Medium

Weakness: Server-Side Request Forgery (SSRF)

Page 1 of 13 Next