Loading HuntDB...

Vulnerability Intelligence by wss.sh

Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News

More Sources

HackerOne Reports

Bug bounty disclosures

WordPress Vulnerabilities

WordPress plugins & themes

Tools & Data

Trending Insights

Popular vulnerabilities

Advanced Search

Filter & search CVEs

Product Inventory

Software & vendors

Sign In Sign Up

GitLab - HackerOne Reports

View on HackerOne

248

Total Reports

33

Critical

71

High

86

Medium

41

Low

JSON serialization of any Project model results in all Runner tokens being exposed through Quick Actions

Reported by: jobert | Disclosed:

Critical

Weakness: Information Disclosure

Bounty: $12000.00

SSRF on project import via the remote_attachment_url on a Note

Reported by: vakzz | Disclosed:

High

Weakness: Server-Side Request Forgery (SSRF)

Bounty: $10000.00

RCE via github import

Reported by: yvvdwf | Disclosed:

Critical

Weakness: OS Command Injection

Initial mirror user can be assigned by other user even if the mirror was removed

Reported by: sky003 | Disclosed:

Medium

Weakness: Improper Access Control - Generic

Bounty: $3000.00

[information disclosure] Validate existence of a private project.

Reported by: pandaonair | Disclosed:

Low

Weakness: Information Disclosure

EXIF metadata not stripped from JPG group logos

Reported by: jackb898 | Disclosed:

Low

Weakness: Information Disclosure

Bounty: $500.00

GitLab's GitHub integration is vulnerable to SSRF vulnerability

Reported by: jobert | Disclosed:

Medium

Weakness: Server-Side Request Forgery (SSRF)

Bounty: $2000.00

Exfiltrate and mutate repository and project data through injected templated service

Reported by: jobert | Disclosed:

Critical

Weakness: Improper Access Control - Generic

Bounty: $11000.00

Access to GitLab's Slack by abusing issue creation from e-mail

Reported by: intidc | Disclosed:

Critical

Weakness: Improper Authentication - Generic

Stored XSS on Files overview by abusing git submodule URL

Reported by: jobert | Disclosed:

High

Weakness: Cross-site Scripting (XSS) - Stored

XSS On meta tags in profile page

Reported by: plazmaz | Disclosed:

Weakness: Cross-site Scripting (XSS) - Generic

Attacker can create malicious child epics linked to a victim's epic in an unrelated group

Reported by: cryptopone | Disclosed:

Medium

Weakness: Insecure Direct Object Reference (IDOR)

Bounty: $1160.00

Instant open redirect on Live preview WEB Ide opening

Reported by: chaosbolt | Disclosed:

Low

Weakness: Open Redirect

Bounty: $1000.00

Git flag injection leading to file overwrite and potential remote code execution

Reported by: vakzz | Disclosed:

Critical

Weakness: Command Injection - Generic

Bounty: $3500.00

Uncontrolled Resource Consumption in any Markdown field using Mermaid

Reported by: ryhmnlfj | Disclosed:

Medium

Weakness: Uncontrolled Resource Consumption

CVEs: CVE-2019-9220

Attacker is able to access commit title and team member comments which are supposed to be private

Reported by: yashrs | Disclosed:

High

Weakness: Improper Access Control - Generic

Privilege escalation due to insecure use of logrotate

Reported by: petee | Disclosed:

Low

Weakness: Privilege Escalation

Stored-XSS in merge requests

Reported by: ba5d2d132de8622c890dd60 | Disclosed:

Weakness: Cross-site Scripting (XSS) - Reflected

Arbitrary file read via the bulk imports UploadsPipeline

Reported by: vakzz | Disclosed:

Critical

Weakness: Path Traversal

Bounty: $29000.00

Blocked user Git access through CI/CD token

Reported by: logan5 | Disclosed:

Medium

Weakness: Improper Access Control - Generic

Bounty: $1500.00

Previous Page 6 of 13 Next