Skip to content

TOPGITLAB.md

Latest commit

 

History

History
127 lines (123 loc) · 15.9 KB

TOPGITLAB.md

File metadata and controls

127 lines (123 loc) · 15.9 KB

Back

Top reports from GitLab program at HackerOne:

  1. Arbitrary file read via the UploadsRewriter when moving and issue to GitLab - 1235 upvotes, $20000
  2. Git flag injection - local file overwrite to remote code execution to GitLab - 737 upvotes, $12000
  3. Exfiltrate and mutate repository and project data through injected templated service to GitLab - 723 upvotes, $11000
  4. Stored XSS in Wiki pages to GitLab - 582 upvotes, $4500
  5. Local files could be overwritten in GitLab, leading to remote command execution to GitLab - 526 upvotes, $12000
  6. Project Template functionality can be used to copy private project data, such as repository, confidential issues, snippets, and merge requests to GitLab - 424 upvotes, $12000
  7. JSON serialization of any Project model results in all Runner tokens being exposed through Quick Actions to GitLab - 342 upvotes, $12000
  8. Bypass of GitLab CI runner slash fix in YAML validation to GitLab - 341 upvotes, $12000
  9. Attacker is able to access commit title and team member comments which are supposed to be private to GitLab - 333 upvotes, $7000
  10. Server Side Request Forgery mitigation bypass to GitLab - 313 upvotes, $3500
  11. Full access to internal Gitlab instances at redash.gitlab.com, dashboards.gitlab.com, prometheus.gitlab.com to GitLab - 281 upvotes, $9500
  12. Cross-site Scripting (XSS) - Stored in RDoc wiki pages to GitLab - 267 upvotes, $3500
  13. Bypass Email Verification -- Able to Access Internal Gitlab Services that use Login with Gitlab and Perform Check on email domain to GitLab - 223 upvotes, $3000
  14. Unauthenticated blind SSRF in OAuth Jira authorization controller to GitLab - 211 upvotes, $4000
  15. Group search leaks private MRs, code, commits to GitLab - 203 upvotes, $7000
  16. Git flag injection leading to file overwrite and potential remote code execution to GitLab - 162 upvotes, $3500
  17. Snippet JS template allows attacker to read a user's private snippets to GitLab - 162 upvotes, $300
  18. information disclosure of secret_key_base via encoding charcters to GitLab - 140 upvotes, $3500
  19. DoS on the Issue page by exploiting Mermaid. to GitLab - 135 upvotes, $3000
  20. Importing GitLab project archives can replace uploads of other users to GitLab - 132 upvotes, $5000
  21. Persistent XSS in Note objects to GitLab - 132 upvotes, $4500
  22. Git flag injection - Search API with scope 'blobs' to GitLab - 120 upvotes, $7000
  23. Read files on application server, leads to RCE to GitLab - 108 upvotes, $0
  24. Group search with Elastic search enable leaks unrelated data to GitLab - 95 upvotes, $7000
  25. SSRF on project import via the remote_attachment_url on a Note to GitLab - 80 upvotes, $10000
  26. DoS attack via comment on Issue to GitLab - 75 upvotes, $1000
  27. SSRF in CI after first run to GitLab - 69 upvotes, $3000
  28. gitlab-workhorse bypass in Gitlab::Middleware::Multipart allowing files in allowed_paths to be read to GitLab - 59 upvotes, $10000
  29. GraphQL query "namespace" leaks data to GitLab - 58 upvotes, $1000
  30. Ability to access all user authentication tokens, leads to RCE to GitLab - 56 upvotes, $0
  31. Know whether private project name exists or not within a group using link comments to GitLab - 55 upvotes, $300
  32. GitLab::UrlBlocker validation bypass leading to full Server Side Request Forgery to GitLab - 54 upvotes, $5000
  33. All functions that allow users to specify color code are vulnerable to ReDoS to GitLab - 48 upvotes, $1000
  34. Clientside resource Exhausting by exploiting gitlab math rendering to GitLab - 48 upvotes, $1000
  35. Command injection by overwriting authorized_keys file through GitLab import to GitLab - 47 upvotes, $2000
  36. Access to GitLab's Slack by abusing issue creation from e-mail to GitLab - 46 upvotes, $0
  37. Bypass Email Verification using Salesforce -- Reproducible in gitlab.com to GitLab - 45 upvotes, $1500
  38. GitLab CI runner can read and poison cache of all other projects to GitLab - 39 upvotes, $2000
  39. SQL injection in MilestoneFinder order method to GitLab - 38 upvotes, $2000
  40. Milestones leaked via search API to GitLab - 38 upvotes, $1000
  41. Using GitLab to monitor and hijack domains in mass quantity. to GitLab - 33 upvotes, $750
  42. Insecure 2FA/authentication implementation creates a brute force vulnerability to GitLab - 30 upvotes, $0
  43. Bypassing push rules via MRs created by Email to GitLab - 29 upvotes, $3000
  44. Privilege escalation due to insecure use of logrotate to GitLab - 29 upvotes, $1000
  45. Uncontrolled Resource Consumption in any Markdown field using Mermaid to GitLab - 29 upvotes, $1000
  46. Evaluating Ruby code by injecting Rescue job on the system_hook_push queue through web hook to GitLab - 29 upvotes, $750
  47. Vulnerability in project import leads to arbitrary command execution to GitLab - 29 upvotes, $0
  48. Access Projects And create projects in gitlab pre production server to GitLab - 26 upvotes, $1000
  49. Mailgun misconfiguration leads to email snooping and postmaster@-access on email.mg.gitlab.com to GitLab - 25 upvotes, $0
  50. Persistent XSS via e-mail when creating merge requests to GitLab - 24 upvotes, $750
  51. Last build status and coverage leaked to unauthorized users to GitLab - 22 upvotes, $750
  52. Unauthorized users may be able to view almost all informations related to Private projects. to GitLab - 21 upvotes, $0
  53. GitLab's GitHub integration is vulnerable to SSRF vulnerability to GitLab - 20 upvotes, $2000
  54. [Markdown] Stored XSS via character encoding parser bypass to GitLab - 20 upvotes, $0
  55. Claiming package names in GitLab's automatic package referencer. to GitLab - 19 upvotes, $1000
  56. CSV injection in gitlab.com via issues export feature. to GitLab - 19 upvotes, $0
  57. Add and Access to Labels of any Private Projects/Groups of Gitlab(IDOR) to GitLab - 18 upvotes, $1000
  58. Race condition in GitLab import, giving access to other people their imports due to filename collision to GitLab - 17 upvotes, $0
  59. Stored XSS in merge request pages to GitLab - 17 upvotes, $0
  60. Stored XSS on Files overview by abusing git submodule URL to GitLab - 16 upvotes, $0
  61. all private tokens are leaked to an unauthenticated attacker to GitLab - 16 upvotes, $0
  62. Privilege escalation to access all private groups and repositories to GitLab - 15 upvotes, $0
  63. SSRF vulnerability in gitlab.com via project import. to GitLab - 15 upvotes, $0
  64. Stored XSS on Issue details page to GitLab - 14 upvotes, $0
  65. Private System Note Disclosure using GraphQL to GitLab - 13 upvotes, $1000
  66. GitHub import allows user to create child group under existing namespace to GitLab - 13 upvotes, $750
  67. Bypassing password authentication of users that have 2FA enabled to GitLab - 13 upvotes, $0
  68. Persistent XSS on public wiki pages to GitLab - 13 upvotes, $0
  69. Gitlab is vulnerable to impersonation attacks due to broken links to GitLab - 13 upvotes, $0
  70. Removing a user from a private group doesn't remove him from group's project, if his project's role was changed to GitLab - 12 upvotes, $2000
  71. Every user can delete public deploy keys to GitLab - 12 upvotes, $0
  72. Inadequate cache control in gitter allows to view private chat room to GitLab - 12 upvotes, $0
  73. No redirect_uri in the db for web-internal clientKey leads to one-click DoS on gitter.im to GitLab - 11 upvotes, $1000
  74. State filter in IssuableFinder allows attacker to delete all issues and merge requests to GitLab - 11 upvotes, $0
  75. User with guest access can access private merge requests to GitLab - 11 upvotes, $0
  76. Unfiltered class attribute in markdown code to GitLab - 11 upvotes, $0
  77. SSRF when importing a project from a git repo by URL to GitLab - 11 upvotes, $0
  78. XSS On meta tags in profile page to GitLab - 10 upvotes, $0
  79. Users can download old project exports due to unclaimed namespace to GitLab - 10 upvotes, $0
  80. Persistent XSS - Selecting users as allowed merge request approvers to GitLab - 10 upvotes, $0
  81. HTML TAG INJECTION ON PROFILE NAME to GitLab - 10 upvotes, $0
  82. Blocked user Git access through CI/CD token to GitLab - 9 upvotes, $1500
  83. Attacker can extract list of private project's project members to GitLab - 9 upvotes, $0
  84. Head pipeline leaked to unauthorized users via blocking merge request feature to GitLab - 8 upvotes, $1000
  85. Last pipeline status for MR leaked to GitLab - 8 upvotes, $750
  86. Boards leak private label names and desciptions to GitLab - 8 upvotes, $0
  87. Users with guest access can post notes to private merge requests, issues, and snippets to GitLab - 8 upvotes, $0
  88. SSRF vulnerability in gitlab.com webhook to GitLab - 8 upvotes, $0
  89. XSS (Persistent) - Selecting role(s) for protected branches to GitLab - 8 upvotes, $0
  90. Container scanning and Dependency scanning report leaked to unauthorized users to GitLab - 7 upvotes, $3000
  91. [RDoc] XSS in project README files to GitLab - 7 upvotes, $0
  92. [reStructuredText] XSS in project README files to GitLab - 7 upvotes, $0
  93. Gitlab.com is vulnerable to reverse tabnabbing. to GitLab - 7 upvotes, $0
  94. Markdown based stored XSS (IE only) to GitLab - 7 upvotes, $0
  95. Persistent XSS - Deleting a project (No Longer Vulnerable in 10.7) to GitLab - 7 upvotes, $0
  96. Labels created in private projects are leaked to GitLab - 6 upvotes, $0
  97. Persistent XSS on public project page to GitLab - 6 upvotes, $0
  98. [Subgroups] Unprivileged User Can Disclose Private Group Names to GitLab - 6 upvotes, $0
  99. CSRF Token Bypass in Account Deletion to GitLab - 6 upvotes, $0
  100. Gitlab.com is vulnerable to reverse tabnabbing. (#2) to GitLab - 6 upvotes, $0
  101. GFM renderer leaks external issue tracker URL of private project to GitLab - 6 upvotes, $0
  102. Potensial SSRF via Git repository URL to GitLab - 6 upvotes, $0
  103. Double linking cause XSS (but blokeced by CSP in gitlab.com) to GitLab - 6 upvotes, $0
  104. Attacker can delete (and read) private project webhooks to GitLab - 5 upvotes, $0
  105. [Textile] XSS in project README files to GitLab - 5 upvotes, $0
  106. Gitlab.com is vulnerable to reverse tabnabbing via AsciiDoc links. (#3) to GitLab - 5 upvotes, $0
  107. Impersonation attack via Broken Link in Resellers Page to GitLab - 5 upvotes, $0
  108. Guests Will Disclose the Private Project Full Activity Via Project Activity Feeds to GitLab - 5 upvotes, $0
  109. Private snippets in public / internal projects leaked though GitLab API to GitLab - 4 upvotes, $0
  110. Confidential issues leaked in public projects when attached to milestone to GitLab - 4 upvotes, $0
  111. Attacker can post notes on private MR, snippets, and issues to GitLab - 4 upvotes, $0
  112. [Repository Import] Open Redirect via "continue[to]" parameter to GitLab - 4 upvotes, $0
  113. Project Milestones Disclosed Via Groups When the Victim disabled milestones access in project settings to GitLab - 3 upvotes, $1000
  114. Open redirect to GitLab - 3 upvotes, $0
  115. CSRF-Token leak by request forgery to GitLab - 3 upvotes, $0
  116. Cookie bomb to GitLab - 3 upvotes, $0
  117. SSRF via git Repo by URL Abuse to GitLab - 2 upvotes, $0
  118. Lack of validation before assigning custom domain names leading to abuse of GitLab pages service to GitLab - 2 upvotes, $0
  119. Email notification about login email changed is not received when using verified linked email address to GitLab - 2 upvotes, $0
  120. Missing/Breach of Internal Security Boundary - Access to Job Queue Results in Remote Code Execution to GitLab - 0 upvotes, $0

Back