Loading HuntDB...

Vulnerability Intelligence by wss.sh

Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News

More Sources

HackerOne Reports

Bug bounty disclosures

WordPress Vulnerabilities

WordPress plugins & themes

Tools & Data

Trending Insights

Popular vulnerabilities

Advanced Search

Filter & search CVEs

Product Inventory

Software & vendors

Sign In Sign Up

GitLab - HackerOne Reports

View on HackerOne

248

Total Reports

33

Critical

71

High

86

Medium

41

Low

SafeParamsHelper::safe_params is not so safe

Reported by: vakzz | Disclosed:

High

Weakness: Cross-site Scripting (XSS) - Reflected

Bounty: $4000.00

Revoked User can still view the Merge Request created by him via API

Reported by: muthu_prakash | Disclosed:

Medium

Weakness: Improper Access Control - Generic

Bounty: $1500.00

Unauthorized user is able to access schedule pipeline variables and values

Reported by: vaib25vicky | Disclosed:

High

Weakness: Information Disclosure

Email notification about login email changed is not received when using verified linked email address

Reported by: shaileshpratapwar | Disclosed:

Weakness: Violation of Secure Design Principles

Claiming package names in GitLab's automatic package referencer.

Reported by: edoverflow | Disclosed:

Low

Weakness: Business Logic Errors

Bounty: $1000.00

Bypass Email Verification using Salesforce -- Reproducible in gitlab.com

Reported by: ngalog | Disclosed:

High

Weakness: Violation of Secure Design Principles

Guest users can create new test cases

Reported by: maruthi12 | Disclosed:

Medium

Weakness: Privilege Escalation

Bounty: $650.00

Stored XSS via Mermaid Prototype Pollution vulnerability

Reported by: misha98857 | Disclosed:

High

Weakness: Cross-site Scripting (XSS) - Stored

Bounty: $3000.00

Drive-by arbitrary file deletion in the GDK via letter_opener_web gem

Reported by: vakzz | Disclosed:

Medium

Weakness: Cross-Site Request Forgery (CSRF)

Bounty: $750.00

Clientside resource Exhausting by exploiting gitlab math rendering

Reported by: abdilahrf_ | Disclosed:

Low

Weakness: Uncontrolled Resource Consumption

Group search with Elastic search enable leaks unrelated data

Reported by: rpadovani | Disclosed:

High

Weakness: Improper Access Control - Generic

Unauthenticated IP allowlist bypass when accessing job artifacts through gitlab pages at `{group_id}.gitlab.io`

Reported by: joaxcar | Disclosed:

Medium

Weakness: Improper Access Control - Generic

Bounty: $1990.00

Open redirect

Reported by: eadz | Disclosed:

Medium

Weakness: Open Redirect

State filter in IssuableFinder allows attacker to delete all issues and merge requests

Reported by: jobert | Disclosed:

High

Weakness: Privilege Escalation

Read files on application server, leads to RCE

Reported by: jobert | Disclosed:

Critical

Weakness: Information Disclosure

Stored XSS in Wiki pages

Reported by: ryhmnlfj | Disclosed:

High

Weakness: Cross-site Scripting (XSS) - Stored

Possibilty to purchase Ultimate - 1 Year (EDU or OSS)

Reported by: steppe | Disclosed:

Low

Weakness: Business Logic Errors

Bypassing push rules via MRs created by Email

Reported by: xanbanx | Disclosed:

Medium

Weakness: Improper Access Control - Generic

No Restriction on password

Reported by: mta-sts | Disclosed:

ReDoS in syntax highlighting due to Rouge

Reported by: doyensec | Disclosed:

Medium

Weakness: Uncontrolled Resource Consumption

Bounty: $600.00

Previous Page 9 of 13 Next