Loading HuntDB...

Vulnerability Intelligence by wss.sh

Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News

More Sources

HackerOne Reports

Bug bounty disclosures

WordPress Vulnerabilities

WordPress plugins & themes

Tools & Data

Trending Insights

Popular vulnerabilities

Advanced Search

Filter & search CVEs

Product Inventory

Software & vendors

Sign In Sign Up

GitLab - HackerOne Reports

View on HackerOne

248

Total Reports

33

Critical

71

High

86

Medium

41

Low

View the Starred Projects in a Private Profile

Reported by: maruthi12 | Disclosed:

Low

Weakness: Insecure Direct Object Reference (IDOR)

Bounty: $500.00

Send arbitrary PUT requests when user clicks on a link

Reported by: yvvdwf | Disclosed:

Medium

Weakness: Command Injection - Generic

CSRF Token Bypass in Account Deletion

Reported by: 7h0r4pp4n | Disclosed:

Low

Weakness: Cross-Site Request Forgery (CSRF)

When you call your branch the same name as a git hash, it could be checked out by dependents

Reported by: retroplasma | Disclosed:

Medium

Weakness: Resource Injection

Bounty: $2000.00

Stored-XSS in merge requests

Reported by: yvvdwf | Disclosed:

High

Weakness: Cross-site Scripting (XSS) - Stored

Last build status and coverage leaked to unauthorized users

Reported by: xanbanx | Disclosed:

Low

Weakness: Information Disclosure

DoS on the Issue page by exploiting Mermaid.

Reported by: 8ayac | Disclosed:

Medium

Weakness: Uncontrolled Resource Consumption

Bounty: $3000.00

Boards leak private label names and desciptions

Reported by: jobert | Disclosed:

Weakness: Information Disclosure

Stored XSS in "Create Groups"

Reported by: rioncool22 | Disclosed:

High

Weakness: Cross-site Scripting (XSS) - Stored

Bounty: $2500.00

Missing/Breach of Internal Security Boundary - Access to Job Queue Results in Remote Code Execution

Reported by: pruby | Disclosed:

Low

Weakness: Violation of Secure Design Principles

Head pipeline leaked to unauthorized users via blocking merge request feature

Reported by: xanbanx | Disclosed:

Low

Weakness: Improper Access Control - Generic

Account takeover due to insufficient URL validation on RelayState parameter

Reported by: bull | Disclosed:

Medium

Weakness: Cross-Site Request Forgery (CSRF)

Bounty: $2450.00

DOS: taking down a 1k users Gitlab EE instance or multiple Sidekiq instances by importing a malicious repo from a Github EE self-hosted server

Reported by: a92847865 | Disclosed:

Medium

Weakness: Uncontrolled Resource Consumption

Stored-XSS injected in Wiki page via Banzai pipeline

Reported by: yvvdwf | Disclosed:

High

Weakness: Cross-site Scripting (XSS) - Stored

Ability to access all user authentication tokens, leads to RCE

Reported by: jobert | Disclosed:

Critical

Weakness: Privilege Escalation

Unrestricted file upload leads to Stored XSS

Reported by: semsem123 | Disclosed:

Medium

Weakness: Cross-site Scripting (XSS) - Stored

Todos are not redacted when membership changes - Access to (confidential) issues and merge requests

Reported by: vaib25vicky | Disclosed:

Medium

Weakness: Information Disclosure

Bypass of GitLab CI runner slash fix in YAML validation

Reported by: ngalog | Disclosed:

Critical

Weakness: Improper Input Validation

Stored XSS in merge request pages

Reported by: 8ayac | Disclosed:

High

Weakness: Cross-site Scripting (XSS) - Stored

Blocked user Git access through CI/CD token

Reported by: logan5 | Disclosed:

Medium

Weakness: Improper Access Control - Generic

Bounty: $1500.00

Previous Page 4 of 13 Next