Skip to content

Latest commit

 

History

History
252 lines (251 loc) · 32.9 KB

TOPGITLAB.md

File metadata and controls

252 lines (251 loc) · 32.9 KB

Top reports from GitLab program at HackerOne:

  1. Arbitrary file read via the UploadsRewriter when moving and issue to GitLab - 1455 upvotes, $20000
  2. Git flag injection - local file overwrite to remote code execution to GitLab - 762 upvotes, $12000
  3. Exfiltrate and mutate repository and project data through injected templated service to GitLab - 734 upvotes, $11000
  4. Stored XSS in Wiki pages to GitLab - 602 upvotes, $0
  5. Local files could be overwritten in GitLab, leading to remote command execution to GitLab - 536 upvotes, $12000
  6. RCE when removing metadata with ExifTool to GitLab - 486 upvotes, $20000
  7. Project Template functionality can be used to copy private project data, such as repository, confidential issues, snippets, and merge requests to GitLab - 439 upvotes, $12000
  8. RCE via unsafe inline Kramdown options when rendering certain Wiki pages to GitLab - 415 upvotes, $20000
  9. gitlab-workhorse bypass in Gitlab::Middleware::Multipart allowing files in allowed_paths to be read to GitLab - 400 upvotes, $10000
  10. Bypass of GitLab CI runner slash fix in YAML validation to GitLab - 355 upvotes, $12000
  11. JSON serialization of any Project model results in all Runner tokens being exposed through Quick Actions to GitLab - 354 upvotes, $12000
  12. SSRF on project import via the remote_attachment_url on a Note to GitLab - 343 upvotes, $10000
  13. Attacker is able to access commit title and team member comments which are supposed to be private to GitLab - 340 upvotes, $0
  14. Server Side Request Forgery mitigation bypass to GitLab - 335 upvotes, $0
  15. Remote Command Execution via Github import to GitLab - 304 upvotes, $33510
  16. An attacker can run pipeline jobs as arbitrary user to GitLab - 301 upvotes, $0
  17. Full access to internal Gitlab instances at redash.gitlab.com, dashboards.gitlab.com, prometheus.gitlab.com to GitLab - 300 upvotes, $0
  18. RCE via the DecompressedArchiveSizeValidator and Project BulkImports (behind feature flag) to GitLab - 299 upvotes, $33510
  19. Arbitrary file read via the bulk imports UploadsPipeline to GitLab - 299 upvotes, $29000
  20. Stored XSS in markdown via the DesignReferenceFilter to GitLab - 282 upvotes, $16000
  21. Cross-site Scripting (XSS) - Stored in RDoc wiki pages to GitLab - 278 upvotes, $3500
  22. Stored XSS via Kroki diagram to GitLab - 272 upvotes, $13950
  23. RCE via github import to GitLab - 263 upvotes, $0
  24. Bypass Email Verification -- Able to Access Internal Gitlab Services that use Login with Gitlab and Perform Check on email domain to GitLab - 240 upvotes, $3000
  25. Privilege escalation from any user (including external) to gitlab admin when admin impersonates you to GitLab - 235 upvotes, $0
  26. Ability to bypass email verification for OAuth grants results in accounts takeovers on 3rd parties to GitLab - 231 upvotes, $3000
  27. Steal private objects of other projects via project import to GitLab - 225 upvotes, $20000
  28. Unauthenticated blind SSRF in OAuth Jira authorization controller to GitLab - 223 upvotes, $4000
  29. Ability To Delete User(s) Account Without User Interaction to GitLab - 215 upvotes, $0
  30. Full Read SSRF on Gitlab's Internal Grafana to GitLab - 212 upvotes, $0
  31. Group search leaks private MRs, code, commits to GitLab - 207 upvotes, $0
  32. Arbitrary file read during project import to GitLab - 182 upvotes, $16000
  33. Git flag injection leading to file overwrite and potential remote code execution to GitLab - 169 upvotes, $3500
  34. Snippet JS template allows attacker to read a user's private snippets to GitLab - 164 upvotes, $300
  35. Stored-XSS with CSP-bypass via labels' color to GitLab - 160 upvotes, $0
  36. Stored XSS in Notes (with CSP bypass for gitlab.com) to GitLab - 148 upvotes, $13950
  37. information disclosure of secret_key_base via encoding charcters to GitLab - 144 upvotes, $3500
  38. DoS on the Issue page by exploiting Mermaid. to GitLab - 140 upvotes, $3000
  39. Importing GitLab project archives can replace uploads of other users to GitLab - 140 upvotes, $0
  40. Path traversal, to RCE to GitLab - 136 upvotes, $12000
  41. Persistent XSS in Note objects to GitLab - 134 upvotes, $4500
  42. Send arbitrary PUT requests when user clicks on a link to GitLab - 134 upvotes, $0
  43. Git flag injection - Search API with scope 'blobs' to GitLab - 126 upvotes, $7000
  44. Stored XSS in custom emoji to GitLab - 124 upvotes, $3000
  45. Private objects exposed through project import to GitLab - 112 upvotes, $20000
  46. Read files on application server, leads to RCE to GitLab - 112 upvotes, $0
  47. Able to view hackerone reports attachments to GitLab - 98 upvotes, $0
  48. Group search with Elastic search enable leaks unrelated data to GitLab - 96 upvotes, $0
  49. Bypass: Stored-XSS with CSP-bypass via scoped labels' color to GitLab - 94 upvotes, $0
  50. XSS in request approvals to GitLab - 93 upvotes, $3000
  51. CSP-bypass XSS in project settings page to GitLab - 93 upvotes, $0
  52. Stored XSS in "Create Groups" to GitLab - 87 upvotes, $2500
  53. Account takeover due to insufficient URL validation on RelayState parameter to GitLab - 85 upvotes, $2450
  54. Unrestricted file upload leads to Stored XSS to GitLab - 84 upvotes, $0
  55. New /add_contacts /remove_contacts quick commands susseptible to XSS from Customer Contact firstname/lastname fields to GitLab - 83 upvotes, $13950
  56. Path traversal in Nuget Package Registry to GitLab - 83 upvotes, $12000
  57. DoS attack via comment on Issue to GitLab - 80 upvotes, $1000
  58. Stored XSS in main page of a project caused by arbitrary script payload in group "Default initial branch name" to GitLab - 77 upvotes, $3000
  59. XSS in ZenTao integration affecting self hosted instances without strict CSP to GitLab - 75 upvotes, $13950
  60. GitLab-Runner on Windows DOCKER_AUTH_CONFIG container host Command Injection to GitLab - 75 upvotes, $0
  61. CSRF on /api/graphql allows executing mutations through GET requests to GitLab - 74 upvotes, $3370
  62. Cache poisoning Denial of Service affecting assets.gitlab-static.net to GitLab - 73 upvotes, $0
  63. SSRF in CI after first run to GitLab - 70 upvotes, $0
  64. RepositoryPipeline allows importing of local git repos to GitLab - 64 upvotes, $22300
  65. GitLab::UrlBlocker validation bypass leading to full Server Side Request Forgery to GitLab - 64 upvotes, $0
  66. Privilege escalation of "external user" (with maintainer privilege) to internal access through project token to GitLab - 61 upvotes, $1020
  67. Stored-XSS injected in Wiki page via Banzai pipeline to GitLab - 60 upvotes, $0
  68. GraphQL query "namespace" leaks data to GitLab - 59 upvotes, $0
  69. Login email verification bypass via /oauth/token. to GitLab - 59 upvotes, $0
  70. [Admin Panel] CSRF to resume/pause runner to GitLab - 58 upvotes, $500
  71. Stored-XSS on wiki pages to GitLab - 58 upvotes, $0
  72. Ability to access all user authentication tokens, leads to RCE to GitLab - 57 upvotes, $0
  73. Know whether private project name exists or not within a group using link comments to GitLab - 57 upvotes, $0
  74. Stored XSS via Mermaid Prototype Pollution vulnerability to GitLab - 53 upvotes, $3000
  75. Access to GitLab's Slack by abusing issue creation from e-mail to GitLab - 52 upvotes, $0
  76. FogBugz import attachment full SSRF requiring vulnerability in *.fogbugz.com to GitLab - 52 upvotes, $0
  77. Content injection in Jira issue title enabling sending arbitrary POST request as victim to GitLab - 51 upvotes, $8690
  78. All functions that allow users to specify color code are vulnerable to ReDoS to GitLab - 51 upvotes, $1000
  79. Bypass Email Verification using Salesforce -- Reproducible in gitlab.com to GitLab - 50 upvotes, $1500
  80. Change project visibility to a restricted option to GitLab - 50 upvotes, $1370
  81. Clientside resource Exhausting by exploiting gitlab math rendering to GitLab - 50 upvotes, $0
  82. Arbitrary POST request as victim user from HTML injection in Jupyter notebooks to GitLab - 49 upvotes, $8690
  83. Stored XSS on the job page to GitLab - 49 upvotes, $3000
  84. Command injection by overwriting authorized_keys file through GitLab import to GitLab - 49 upvotes, $2000
  85. Guest users can create new test cases to GitLab - 49 upvotes, $650
  86. XSS on Issue reference numbers to GitLab - 49 upvotes, $0
  87. Stored XSS in markdown when redacting references to GitLab - 48 upvotes, $5000
  88. Stored XSS in merge request pages to GitLab - 48 upvotes, $3500
  89. RCE via WikiCloth markdown rendering if the rubyluabridge gem is installed to GitLab - 48 upvotes, $3000
  90. EXIF metadata not stripped from JPG group logos to GitLab - 48 upvotes, $500
  91. View the Starred Projects in a Private Profile to GitLab - 46 upvotes, $500
  92. Stored XSS via Mermaid Prototype Pollution vulnerability to GitLab - 45 upvotes, $3000
  93. Remove obsolete domain from handbook subdomain to GitLab - 44 upvotes, $100
  94. Stored XSS in Mermaid when viewing Markdown files to GitLab - 42 upvotes, $0
  95. GitLab CI runner can read and poison cache of all other projects to GitLab - 41 upvotes, $2000
  96. Milestones leaked via search API to GitLab - 41 upvotes, $0
  97. Improper access control for users with expired password, giving the user full access through API and Git to GitLab - 40 upvotes, $950
  98. Kroki Arbitrary File Read/Write to GitLab - 40 upvotes, $0
  99. XSS: v-safe-html is not safe enough to GitLab - 40 upvotes, $0
  100. When you call your branch the same name as a git hash, it could be checked out by dependents to GitLab - 39 upvotes, $2000
  101. A deactivated user can access data through GraphQL to GitLab - 39 upvotes, $1370
  102. SQL injection in MilestoneFinder order method to GitLab - 38 upvotes, $2000
  103. Stored XSS on issue comments and other pages which contain notes to GitLab - 36 upvotes, $3000
  104. Using GitLab to monitor and hijack domains in mass quantity. to GitLab - 36 upvotes, $750
  105. IDOR Exposes All Machine Learning Models to GitLab - 35 upvotes, $1160
  106. Bypassing push rules via MRs created by Email to GitLab - 35 upvotes, $0
  107. Stored XSS in blob viewer to GitLab - 35 upvotes, $0
  108. Store-XSS in error message of build-dependencies to GitLab - 35 upvotes, $0
  109. Injection of http.\<url\>.* git config settings leading to SSRF to GitLab - 34 upvotes, $3000
  110. Evaluating Ruby code by injecting Rescue job on the system_hook_push queue through web hook to GitLab - 32 upvotes, $750
  111. Vulnerability in project import leads to arbitrary command execution to GitLab - 32 upvotes, $0
  112. Stored-XSS in merge requests to GitLab - 32 upvotes, $0
  113. Clipboard DOM-based XSS to GitLab - 32 upvotes, $0
  114. Removed Guest role user who dosent have access to private project in members able to view jobs to GitLab - 32 upvotes, $0
  115. Insecure 2FA/authentication implementation creates a brute force vulnerability to GitLab - 31 upvotes, $0
  116. Exposure of a valid Gitlab-Workhorse JWT leading to various bad things to GitLab - 31 upvotes, $0
  117. Stored XSS in merge request creation page through payload in approval rule name to GitLab - 30 upvotes, $3000
  118. Mailgun misconfiguration leads to email snooping and postmaster@-access on email.mg.gitlab.com to GitLab - 30 upvotes, $0
  119. Uncontrolled Resource Consumption in any Markdown field using Mermaid to GitLab - 30 upvotes, $0
  120. Privilege escalation due to insecure use of logrotate to GitLab - 29 upvotes, $0
  121. Remote hacker can download all the files of master branch in public projects where everything is members only. to GitLab - 29 upvotes, $0
  122. Stored XSS in group issue list to GitLab - 27 upvotes, $2000
  123. Guest Users can create issues for Sentry errors and track their status to GitLab - 27 upvotes, $610
  124. Access Projects And create projects in gitlab pre production server to GitLab - 27 upvotes, $0
  125. Able to leak private email of any user given his/her username via graphql to GitLab - 27 upvotes, $0
  126. Stored DOM XSS via Mermaid chart to GitLab - 26 upvotes, $3000
  127. Stored XSS in repository file viewer to GitLab - 26 upvotes, $2000
  128. No redirect_uri in the db for web-internal clientKey leads to one-click DoS on gitter.im to GitLab - 26 upvotes, $1000
  129. A profile page of a user can be denied from loading by appending .html to the username to GitLab - 26 upvotes, $200
  130. GitLab's GitHub integration is vulnerable to SSRF vulnerability to GitLab - 25 upvotes, $2000
  131. IDOR in "external status check" API leaks data about any status check on the instance to GitLab - 25 upvotes, $610
  132. DOS via issue preview to GitLab - 24 upvotes, $7640
  133. Drive-by arbitrary file deletion in the GDK via letter_opener_web gem to GitLab - 24 upvotes, $750
  134. Persistent XSS via e-mail when creating merge requests to GitLab - 24 upvotes, $0
  135. Stored XSS on PyPi simple API endpoint to GitLab - 23 upvotes, $3000
  136. Domain Takeover - gl-canary.freetls.fastly.net to GitLab - 23 upvotes, $200
  137. Last build status and coverage leaked to unauthorized users to GitLab - 23 upvotes, $0
  138. Unauthorized access to private project security dashboard to GitLab - 23 upvotes, $0
  139. Claiming package names in GitLab's automatic package referencer. to GitLab - 22 upvotes, $1000
  140. Unauthorized users may be able to view almost all informations related to Private projects. to GitLab - 22 upvotes, $0
  141. Add and Access to Labels of any Private Projects/Groups of Gitlab(IDOR) to GitLab - 22 upvotes, $0
  142. Stealing data from customers.gitlab.com without user interaction to GitLab - 22 upvotes, $0
  143. SafeParamsHelper::safe_params is not so safe to GitLab - 21 upvotes, $4000
  144. Possibilty to purchase Ultimate - 1 Year (EDU or OSS) to GitLab - 21 upvotes, $0
  145. Instant open redirect on Live preview WEB Ide opening to GitLab - 20 upvotes, $1000
  146. CSV injection in gitlab.com via issues export feature. to GitLab - 20 upvotes, $0
  147. all private tokens are leaked to an unauthenticated attacker to GitLab - 20 upvotes, $0
  148. [Markdown] Stored XSS via character encoding parser bypass to GitLab - 20 upvotes, $0
  149. CRLF injection & SSRF in git:// protocal lead to arbitrary code execution to GitLab - 20 upvotes, $0
  150. Race condition in GitLab import, giving access to other people their imports due to filename collision to GitLab - 19 upvotes, $0
  151. Stored XSS for Grafana dashboard URL to GitLab - 19 upvotes, $0
  152. DOS via move_issue to GitLab - 18 upvotes, $2300
  153. Reporters can upload design to issues using the "Move to" feature to GitLab - 18 upvotes, $600
  154. Gitlab is vulnerable to impersonation attacks due to broken links to GitLab - 18 upvotes, $0
  155. SSRF vulnerability in gitlab.com via project import. to GitLab - 18 upvotes, $0
  156. Attacker is able to create,Edit & delete notes and leak the title of a victim's private personal snippet to GitLab - 17 upvotes, $1730
  157. Private System Note Disclosure using GraphQL to GitLab - 17 upvotes, $1000
  158. Bypassing password authentication of users that have 2FA enabled to GitLab - 17 upvotes, $0
  159. Privilege escalation to access all private groups and repositories to GitLab - 17 upvotes, $0
  160. Stored XSS in merge request pages to GitLab - 17 upvotes, $0
  161. Unauthorized access to GitLab - 17 upvotes, $0
  162. Stored XSS on Files overview by abusing git submodule URL to GitLab - 16 upvotes, $0
  163. HTML TAG INJECTION ON PROFILE NAME to GitLab - 16 upvotes, $0
  164. Insufficient Type Check leading to Developer ability to delete Project, Repository, Group, ... to GitLab - 16 upvotes, $0
  165. Stored XSS on Issue details page to GitLab - 15 upvotes, $0
  166. Attacker can create malicious child epics linked to a victim's epic in an unrelated group to GitLab - 14 upvotes, $1160
  167. GitHub import allows user to create child group under existing namespace to GitLab - 14 upvotes, $750
  168. Insufficient Type Check on GraphQL leading to Maintainer delete repository to GitLab - 14 upvotes, $0
  169. Sending Arbitrary Requests through Jupyter Notebooks on gitlab.com and Self-Hosted GitLab Instances to GitLab - 14 upvotes, $0
  170. ReDoS in syntax highlighting due to Rouge to GitLab - 13 upvotes, $600
  171. Persistent XSS on public wiki pages to GitLab - 13 upvotes, $0
  172. User with guest access can access private merge requests to GitLab - 13 upvotes, $0
  173. Transferring a public group to a private group doesn't remove code from the Elastichsearch API search result to GitLab - 13 upvotes, $0
  174. [information disclosure] Validate existence of a private project. to GitLab - 13 upvotes, $0
  175. Every user can delete public deploy keys to GitLab - 12 upvotes, $0
  176. Inadequate cache control in gitter allows to view private chat room to GitLab - 12 upvotes, $0
  177. Removing a user from a private group doesn't remove him from group's project, if his project's role was changed to GitLab - 12 upvotes, $0
  178. SSRF In plantuml (on plantuml.pre.gitlab.com) to GitLab - 12 upvotes, $0
  179. GraphQL Query leads to sensitive information disclosure to GitLab - 12 upvotes, $0
  180. Unauthenticated IP allowlist bypass when accessing job artifacts through gitlab pages at {group_id}.gitlab.io to GitLab - 11 upvotes, $1990
  181. Gitlab Pages token theft using service workers to GitLab - 11 upvotes, $1680
  182. "External status checks" can be accepted by users below developer access if the user is either author or assignee of the target merge request to GitLab - 11 upvotes, $610
  183. Guest users can change the confidentiality attribute on those issues that have been assigned to them to GitLab - 11 upvotes, $100
  184. State filter in IssuableFinder allows attacker to delete all issues and merge requests to GitLab - 11 upvotes, $0
  185. Unfiltered class attribute in markdown code to GitLab - 11 upvotes, $0
  186. SSRF when importing a project from a git repo by URL to GitLab - 11 upvotes, $0
  187. Head pipeline leaked to unauthorized users via blocking merge request feature to GitLab - 11 upvotes, $0
  188. SSRF into Shared Runner, by replacing dockerd with malicious server in Executor to GitLab - 11 upvotes, $0
  189. Container escape on public GitLab CI runners to GitLab - 11 upvotes, $0
  190. Blocked user Git access through CI/CD token to GitLab - 10 upvotes, $1500
  191. XSS by clicking Jira's link to GitLab - 10 upvotes, $1130
  192. XSS On meta tags in profile page to GitLab - 10 upvotes, $0
  193. Boards leak private label names and desciptions to GitLab - 10 upvotes, $0
  194. Users can download old project exports due to unclaimed namespace to GitLab - 10 upvotes, $0
  195. Impersonation attack via Broken Link in Resellers Page to GitLab - 10 upvotes, $0
  196. SSRF vulnerability in gitlab.com webhook to GitLab - 10 upvotes, $0
  197. Persistent XSS - Selecting users as allowed merge request approvers to GitLab - 10 upvotes, $0
  198. Revoked User can still view the Merge Request created by him via API to GitLab - 9 upvotes, $1500
  199. Installing Gitlab runner with Docker-In-Docker allows root access to GitLab - 9 upvotes, $100
  200. Attacker can extract list of private project's project members to GitLab - 9 upvotes, $0
  201. Users with guest access can post notes to private merge requests, issues, and snippets to GitLab - 9 upvotes, $0
  202. [Subgroups] Unprivileged User Can Disclose Private Group Names to GitLab - 9 upvotes, $0
  203. Last pipeline status for MR leaked to GitLab - 9 upvotes, $0
  204. Container scanning and Dependency scanning report leaked to unauthorized users to GitLab - 9 upvotes, $0
  205. Unauthorized user is able to access schedule pipeline variables and values to GitLab - 9 upvotes, $0
  206. ReDoS in net/http affects webhooks: Sidekiq job stuck at 100% CPU for a year to GitLab - 9 upvotes, $0
  207. Markdown based stored XSS (IE only) to GitLab - 8 upvotes, $0
  208. Gitlab.com is vulnerable to reverse tabnabbing. (#2) to GitLab - 8 upvotes, $0
  209. XSS (Persistent) - Selecting role(s) for protected branches to GitLab - 8 upvotes, $0
  210. Elasticsearch leaks data through the notes scope to GitLab - 8 upvotes, $0
  211. Blind SSRF in FogBugz project import to GitLab - 8 upvotes, $0
  212. [RDoc] XSS in project README files to GitLab - 7 upvotes, $0
  213. [reStructuredText] XSS in project README files to GitLab - 7 upvotes, $0
  214. Gitlab.com is vulnerable to reverse tabnabbing. to GitLab - 7 upvotes, $0
  215. Potensial SSRF via Git repository URL to GitLab - 7 upvotes, $0
  216. Persistent XSS - Deleting a project (No Longer Vulnerable in 10.7) to GitLab - 7 upvotes, $0
  217. Adding everyone to the repo due to the lack of rate limit to GitLab - 7 upvotes, $0
  218. Responsible Disclosure of Privacy Leakage Issue to GitLab - 7 upvotes, $0
  219. Bypass for Domain-level redirects (Unvalidated Redirects and Forwar) to GitLab - 7 upvotes, $0
  220. Labels created in private projects are leaked to GitLab - 6 upvotes, $0
  221. Persistent XSS on public project page to GitLab - 6 upvotes, $0
  222. CSRF Token Bypass in Account Deletion to GitLab - 6 upvotes, $0
  223. GFM renderer leaks external issue tracker URL of private project to GitLab - 6 upvotes, $0
  224. Cookie bomb to GitLab - 6 upvotes, $0
  225. Double linking cause XSS (but blokeced by CSP in gitlab.com) to GitLab - 6 upvotes, $0
  226. Todos are not redacted when membership changes - Access to (confidential) issues and merge requests to GitLab - 6 upvotes, $0
  227. Stored-XSS in merge requests to GitLab - 6 upvotes, $0
  228. Path paths and file disclosure vulnerabilities at influxdb.quality.gitlab.net to GitLab - 6 upvotes, $0
  229. Attacker can post notes on private MR, snippets, and issues to GitLab - 5 upvotes, $0
  230. Attacker can delete (and read) private project webhooks to GitLab - 5 upvotes, $0
  231. [Textile] XSS in project README files to GitLab - 5 upvotes, $0
  232. Gitlab.com is vulnerable to reverse tabnabbing via AsciiDoc links. (#3) to GitLab - 5 upvotes, $0
  233. Guests Will Disclose the Private Project Full Activity Via Project Activity Feeds to GitLab - 5 upvotes, $0
  234. Members from parent group keep their access level on a subgroup transfer and are invisible to GitLab - 5 upvotes, $0
  235. Dependecy Confusion via Lookup Request Forwarding to PyPi.org to GitLab - 5 upvotes, $0
  236. Arbitrary escape sequence injection in docker-machine from worker nodes to GitLab - 5 upvotes, $0
  237. Initial mirror user can be assigned by other user even if the mirror was removed to GitLab - 4 upvotes, $3000
  238. Private snippets in public / internal projects leaked though GitLab API to GitLab - 4 upvotes, $0
  239. Confidential issues leaked in public projects when attached to milestone to GitLab - 4 upvotes, $0
  240. [Repository Import] Open Redirect via "continue[to]" parameter to GitLab - 4 upvotes, $0
  241. CSRF-Token leak by request forgery to GitLab - 4 upvotes, $0
  242. Found Origin IP's lead to access to gitlab to GitLab - 4 upvotes, $0
  243. Open redirect to GitLab - 3 upvotes, $0
  244. SSRF via git Repo by URL Abuse to GitLab - 3 upvotes, $0
  245. Project Milestones Disclosed Via Groups When the Victim disabled milestones access in project settings to GitLab - 3 upvotes, $0
  246. Lack of validation before assigning custom domain names leading to abuse of GitLab pages service to GitLab - 2 upvotes, $0
  247. Email notification about login email changed is not received when using verified linked email address to GitLab - 2 upvotes, $0
  248. Use of Ruby Forwardable module and runtime meta-programming may introduce vulnerabilities to GitLab - 1 upvotes, $0
  249. No Restriction on password to GitLab - 1 upvotes, $0
  250. Missing/Breach of Internal Security Boundary - Access to Job Queue Results in Remote Code Execution to GitLab - 0 upvotes, $0