Loading HuntDB...

Vulnerability Intelligence by wss.sh

Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News

More Sources

HackerOne Reports

Bug bounty disclosures

WordPress Vulnerabilities

WordPress plugins & themes

Tools & Data

Trending Insights

Popular vulnerabilities

Advanced Search

Filter & search CVEs

Product Inventory

Software & vendors

Sign In Sign Up

GitLab - HackerOne Reports

View on HackerOne

248

Total Reports

33

Critical

71

High

86

Medium

41

Low

Gitlab Pages token theft using service workers

Reported by: ehhthing | Disclosed:

Medium

Weakness: Improper Authorization

Bounty: $1680.00

CSV injection in gitlab.com via issues export feature.

Reported by: edoverflow | Disclosed:

Medium

Weakness: Command Injection - Generic

Add and Access to Labels of any Private Projects/Groups of Gitlab(IDOR)

Reported by: indoappsec | Disclosed:

Low

Weakness: Insecure Direct Object Reference (IDOR)

Guest Users can create issues for Sentry errors and track their status

Reported by: maruthi12 | Disclosed:

Low

Weakness: Improper Access Control - Generic

Bounty: $610.00

Markdown based stored XSS (IE only)

Reported by: a0xnirudh | Disclosed:

Weakness: Cross-site Scripting (XSS) - Generic

XSS on Issue reference numbers

Reported by: yvvdwf | Disclosed:

Medium

Weakness: Cross-site Scripting (XSS) - DOM

SSRF vulnerability in gitlab.com webhook

Reported by: wuqidashi | Disclosed:

Medium

Weakness: Server-Side Request Forgery (SSRF)

GitHub import allows user to create child group under existing namespace

Reported by: jobert | Disclosed:

High

Weakness: Improper Access Control - Generic

Bounty: $750.00

Git flag injection - Search API with scope 'blobs'

Reported by: vakzz | Disclosed:

High

Weakness: Command Injection - Generic

Bounty: $7000.00

Users can download old project exports due to unclaimed namespace

Reported by: jobert | Disclosed:

Medium

Weakness: Information Disclosure

Users with guest access can post notes to private merge requests, issues, and snippets

Reported by: jobert | Disclosed:

Medium

Weakness: Privilege Escalation

HTML injection possible with soft email confirmations when Administrator manually confirms attacker email address

Reported by: cryptopone | Disclosed:

Low

Weakness: Resource Injection

Bounty: $1060.00

User with guest access can access private merge requests

Reported by: jobert | Disclosed:

Medium

Weakness: Privilege Escalation

Every user can delete public deploy keys

Reported by: jobert | Disclosed:

Medium

Weakness: Privilege Escalation

Private objects exposed through project import

Reported by: saltyyolk | Disclosed:

Critical

Weakness: Insecure Direct Object Reference (IDOR)

Bounty: $20000.00

Stored XSS in merge request pages

Reported by: mike12 | Disclosed:

High

Weakness: Cross-site Scripting (XSS) - Stored

Bounty: $3500.00

Stored XSS in Mermaid when viewing Markdown files

Reported by: saleemrashid | Disclosed:

High

Weakness: Cross-site Scripting (XSS) - DOM

Insufficient Type Check on GraphQL leading to Maintainer delete repository

Reported by: ledz1996 | Disclosed:

High

Weakness: Improper Access Control - Generic

Stored XSS on the job page

Reported by: mike12 | Disclosed:

High

Weakness: Cross-site Scripting (XSS) - Stored

Bounty: $3000.00

Stored XSS on PyPi simple API endpoint

Reported by: vakzz | Disclosed:

Medium

Weakness: Cross-site Scripting (XSS) - Stored

Bounty: $3000.00

Previous Page 7 of 13 Next