Loading HuntDB...

Vulnerability Intelligence by wss.sh

Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News

More Sources

HackerOne Reports

Bug bounty disclosures

WordPress Vulnerabilities

WordPress plugins & themes

Tools & Data

Trending Insights

Popular vulnerabilities

Advanced Search

Filter & search CVEs

Product Inventory

Software & vendors

Sign In Sign Up

GitLab - HackerOne Reports

View on HackerOne

248

Total Reports

33

Critical

71

High

86

Medium

41

Low

Project Milestones Disclosed Via Groups When the Victim disabled milestones access in project settings

Reported by: uzsunnyz | Disclosed:

Low

Weakness: Information Disclosure

Command injection by overwriting authorized_keys file through GitLab import

Reported by: jobert | Disclosed:

Critical

Weakness: Command Injection - Generic

Bounty: $2000.00

Remote Command Execution via Github import

Reported by: vakzz | Disclosed:

Critical

Weakness: Command Injection - Generic

Bounty: $33510.00

CVEs: CVE-2022-2884

Potensial SSRF via Git repository URL

Reported by: rootbakar___ | Disclosed:

Medium

Weakness: Server-Side Request Forgery (SSRF)

Guests Will Disclose the Private Project Full Activity Via Project Activity Feeds

Reported by: uzkova | Disclosed:

Weakness: Information Disclosure

Removed Guest role user who dosent have access to private project in members able to view jobs

Reported by: tarun_sec | Disclosed:

Weakness: Improper Authorization

Remote hacker can download all the files of master branch in public projects where everything is members only.

Reported by: anshraj_srivastava | Disclosed:

Medium

Weakness: Improper Authentication - Generic

Double linking cause XSS (but blokeced by CSP in gitlab.com)

Reported by: ooooooo_q | Disclosed:

Low

Weakness: Cross-site Scripting (XSS) - DOM

Kroki Arbitrary File Read/Write

Reported by: ledz1996 | Disclosed:

High

Weakness: Improper Access Control - Generic

Transferring a public group to a private group doesn't remove code from the Elastichsearch API search result

Reported by: rpadovani | Disclosed:

Medium

Weakness: Improper Access Control - Generic

SSRF into Shared Runner, by replacing dockerd with malicious server in Executor

Reported by: lucash-dev | Disclosed:

Medium

Weakness: Server-Side Request Forgery (SSRF)

SSRF In plantuml (on plantuml.pre.gitlab.com)

Reported by: plazmaz | Disclosed:

Medium

Weakness: Server-Side Request Forgery (SSRF)

Reporters can upload design to issues using the "Move to" feature

Reported by: maruthi12 | Disclosed:

Medium

Weakness: Privilege Escalation

Bounty: $600.00

Persistent XSS - Deleting a project (No Longer Vulnerable in 10.7)

Reported by: phillycheeze | Disclosed:

Medium

Weakness: Cross-site Scripting (XSS) - Stored

Change project visibility to a restricted option

Reported by: s4nderdevelopment | Disclosed:

Medium

Weakness: Violation of Secure Design Principles

Bounty: $1370.00

Able to leak private email of any user given his/her username via graphql

Reported by: vaib25vicky | Disclosed:

Medium

Weakness: Information Disclosure

Found Origin IP's lead to access to gitlab

Reported by: narayanan-m | Disclosed:

Medium

Weakness: Improper Access Control - Generic

Unauthorized users may be able to view almost all informations related to Private projects.

Reported by: 8ayac | Disclosed:

Medium

Weakness: Information Disclosure

Full Read SSRF on Gitlab's Internal Grafana

Reported by: rhynorater | Disclosed:

Critical

Weakness: Server-Side Request Forgery (SSRF)

Blocked user Git access through CI/CD token

Reported by: logan5 | Disclosed:

Medium

Weakness: Improper Access Control - Generic

Bounty: $1500.00

Previous Page 3 of 13 Next