| 1 |
RCE via the DecompressedArchiveSizeValidator and Project BulkImports (behind feature flag) |
$33510.0 |
| 2 |
Remote Command Execution via Github import |
$33510.0 |
| 3 |
Arbitrary file read via the bulk imports UploadsPipeline |
$29000.0 |
| 4 |
RepositoryPipeline allows importing of local git repos |
$22300.0 |
| 5 |
Arbitrary file read via the UploadsRewriter when moving and issue |
$20000.0 |
| 6 |
RCE via unsafe inline Kramdown options when rendering certain Wiki pages |
$20000.0 |
| 7 |
RCE when removing metadata with ExifTool |
$20000.0 |
| 8 |
Private objects exposed through project import |
$20000.0 |
| 9 |
Steal private objects of other projects via project import |
$20000.0 |
| 10 |
Arbitrary file read during project import |
$16000.0 |
| 11 |
Stored XSS in markdown via the DesignReferenceFilter |
$16000.0 |
| 12 |
Stored XSS in Notes (with CSP bypass for gitlab.com) |
$13950.0 |
| 13 |
XSS in ZenTao integration affecting self hosted instances without strict CSP |
$13950.0 |
| 14 |
New /add_contacts /remove_contacts quick commands susseptible to XSS from Customer Contact firstname/lastname fields |
$13950.0 |
| 15 |
Stored XSS via Kroki diagram |
$13950.0 |
| 16 |
Bypass of GitLab CI runner slash fix in YAML validation |
$12000.0 |
| 17 |
JSON serialization of any Project model results in all Runner tokens being exposed through Quick Actions |
$12000.0 |
| 18 |
Local files could be overwritten in GitLab, leading to remote command execution |
$12000.0 |
| 19 |
Project Template functionality can be used to copy private project data, such as repository, confidential issues, snippets, and merge requests |
$12000.0 |
| 20 |
Git flag injection - local file overwrite to remote code execution |
$12000.0 |
| 21 |
Path traversal in Nuget Package Registry |
$12000.0 |
| 22 |
Path traversal, to RCE |
$12000.0 |
| 23 |
Exfiltrate and mutate repository and project data through injected templated service |
$11000.0 |
| 24 |
SSRF on project import via the remote_attachment_url on a Note |
$10000.0 |
| 25 |
gitlab-workhorse bypass in Gitlab::Middleware::Multipart allowing files in allowed_paths to be read |
$10000.0 |
| 26 |
Arbitrary POST request as victim user from HTML injection in Jupyter notebooks |
$8690.0 |
| 27 |
Content injection in Jira issue title enabling sending arbitrary POST request as victim |
$8690.0 |
| 28 |
DOS via issue preview |
$7640.0 |
| 29 |
Git flag injection - Search API with scope 'blobs' |
$7000.0 |
| 30 |
Stored XSS in markdown when redacting references |
$5000.0 |
| 31 |
Persistent XSS in Note objects |
$4500.0 |
| 32 |
Unauthenticated blind SSRF in OAuth Jira authorization controller |
$4000.0 |
| 33 |
SafeParamsHelper::safe_params is not so safe |
$4000.0 |
| 34 |
information disclosure of secret_key_base via encoding charcters |
$3500.0 |
| 35 |
Cross-site Scripting (XSS) - Stored in RDoc wiki pages |
$3500.0 |
| 36 |
Git flag injection leading to file overwrite and potential remote code execution |
$3500.0 |
| 37 |
Stored XSS in merge request pages |
$3500.0 |
| 38 |
CSRF on /api/graphql allows executing mutations through GET requests |
$3370.0 |
| 39 |
DoS on the Issue page by exploiting Mermaid. |
$3000.0 |
| 40 |
Bypass Email Verification -- Able to Access Internal Gitlab Services that use Login with Gitlab and Perform Check on email domain |
$3000.0 |
| 41 |
Initial mirror user can be assigned by other user even if the mirror was removed |
$3000.0 |
| 42 |
Injection of http.<url>.* git config settings leading to SSRF |
$3000.0 |
| 43 |
Stored XSS on PyPi simple API endpoint |
$3000.0 |
| 44 |
Ability to bypass email verification for OAuth grants results in accounts takeovers on 3rd parties |
$3000.0 |
| 45 |
Stored XSS on the job page |
$3000.0 |
| 46 |
XSS in request approvals |
$3000.0 |
| 47 |
Stored DOM XSS via Mermaid chart |
$3000.0 |
| 48 |
Stored XSS via Mermaid Prototype Pollution vulnerability |
$3000.0 |
| 49 |
Stored XSS in custom emoji |
$3000.0 |
| 50 |
Stored XSS in main page of a project caused by arbitrary script payload in group "Default initial branch name" |
$3000.0 |
| 51 |
Stored XSS via Mermaid Prototype Pollution vulnerability |
$3000.0 |
| 52 |
Stored XSS in merge request creation page through payload in approval rule name |
$3000.0 |
| 53 |
RCE via WikiCloth markdown rendering if the rubyluabridge gem is installed |
$3000.0 |
| 54 |
Stored XSS on issue comments and other pages which contain notes |
$3000.0 |
| 55 |
Stored XSS in "Create Groups" |
$2500.0 |
| 56 |
Account takeover due to insufficient URL validation on RelayState parameter |
$2450.0 |
| 57 |
DOS via move_issue |
$2300.0 |
| 58 |
SQL injection in MilestoneFinder order method |
$2000.0 |
| 59 |
Command injection by overwriting authorized_keys file through GitLab import |
$2000.0 |
| 60 |
GitLab CI runner can read and poison cache of all other projects |
$2000.0 |
| 61 |
GitLab's GitHub integration is vulnerable to SSRF vulnerability |
$2000.0 |
| 62 |
Stored XSS in group issue list |
$2000.0 |
| 63 |
When you call your branch the same name as a git hash, it could be checked out by dependents |
$2000.0 |
| 64 |
Stored XSS in repository file viewer |
$2000.0 |
| 65 |
Unauthenticated IP allowlist bypass when accessing job artifacts through gitlab pages at {group_id}.gitlab.io |
$1990.0 |
| 66 |
Attacker is able to create,Edit & delete notes and leak the title of a victim's private personal snippet |
$1730.0 |
| 67 |
Gitlab Pages token theft using service workers |
$1680.0 |
| 68 |
Blocked user Git access through CI/CD token |
$1500.0 |
| 69 |
Bypass Email Verification using Salesforce -- Reproducible in gitlab.com |
$1500.0 |
| 70 |
Revoked User can still view the Merge Request created by him via API |
$1500.0 |
| 71 |
A deactivated user can access data through GraphQL |
$1370.0 |
| 72 |
Change project visibility to a restricted option |
$1370.0 |
| 73 |
Attacker can create malicious child epics linked to a victim's epic in an unrelated group |
$1160.0 |
| 74 |
IDOR Exposes All Machine Learning Models |
$1160.0 |
| 75 |
XSS by clicking Jira's link |
$1130.0 |
| 76 |
HTML injection possible with soft email confirmations when Administrator manually confirms attacker email address |
$1060.0 |
| 77 |
Privilege escalation of "external user" (with maintainer privilege) to internal access through project token |
$1020.0 |
| 78 |
Claiming package names in GitLab's automatic package referencer. |
$1000.0 |
| 79 |
All functions that allow users to specify color code are vulnerable to ReDoS |
$1000.0 |
| 80 |
DoS attack via comment on Issue |
$1000.0 |
| 81 |
Private System Note Disclosure using GraphQL |
$1000.0 |
| 82 |
No redirect_uri in the db for web-internal clientKey leads to one-click DoS on gitter.im |
$1000.0 |
| 83 |
Instant open redirect on Live preview WEB Ide opening |
$1000.0 |
| 84 |
Improper access control for users with expired password, giving the user full access through API and Git |
$950.0 |
| 85 |
Using GitLab to monitor and hijack domains in mass quantity. |
$750.0 |
| 86 |
Evaluating Ruby code by injecting Rescue job on the system_hook_push queue through web hook |
$750.0 |
| 87 |
GitHub import allows user to create child group under existing namespace |
$750.0 |
| 88 |
Drive-by arbitrary file deletion in the GDK via letter_opener_web gem |
$750.0 |
| 89 |
Guest users can create new test cases |
$650.0 |
| 90 |
Guest Users can create issues for Sentry errors and track their status |
$610.0 |
| 91 |
IDOR in "external status check" API leaks data about any status check on the instance |
$610.0 |
| 92 |
"External status checks" can be accepted by users below developer access if the user is either author or assignee of the target merge request |
$610.0 |
| 93 |
Reporters can upload design to issues using the "Move to" feature |
$600.0 |
| 94 |
ReDoS in syntax highlighting due to Rouge |
$600.0 |
| 95 |
EXIF metadata not stripped from JPG group logos |
$500.0 |
| 96 |
[Admin Panel] CSRF to resume/pause runner |
$500.0 |
| 97 |
View the Starred Projects in a Private Profile |
$500.0 |
| 98 |
Snippet JS template allows attacker to read a user's private snippets |
$300.0 |
| 99 |
A profile page of a user can be denied from loading by appending .html to the username |
$200.0 |
| 100 |
Domain Takeover - gl-canary.freetls.fastly.net |
$200.0 |
| 101 |
Guest users can change the confidentiality attribute on those issues that have been assigned to them |
$100.0 |
| 102 |
Installing Gitlab runner with Docker-In-Docker allows root access |
$100.0 |
| 103 |
Information Disclosure - Pvt Gitlab Issue Disclosing Through GitLab Unfiltered YouTube channel. |
$100.0 |
| 104 |
Remove obsolete domain from handbook subdomain |
$100.0 |
| 105 |
XSS On meta tags in profile page |
$0.0 |
| 106 |
Boards leak private label names and desciptions |
$0.0 |
| 107 |
Insecure 2FA/authentication implementation creates a brute force vulnerability |
$0.0 |
| 108 |
Read files on application server, leads to RCE |
$0.0 |
| 109 |
Ability to access all user authentication tokens, leads to RCE |
$0.0 |
| 110 |
State filter in IssuableFinder allows attacker to delete all issues and merge requests |
$0.0 |
| 111 |
Mailgun misconfiguration leads to email snooping and postmaster@-access on email.mg.gitlab.com |
$0.0 |
| 112 |
Users with guest access can post notes to private merge requests, issues, and snippets |
$0.0 |
| 113 |
User with guest access can access private merge requests |
$0.0 |
| 114 |
Every user can delete public deploy keys |
$0.0 |
| 115 |
Users can download old project exports due to unclaimed namespace |
$0.0 |
| 116 |
[RDoc] XSS in project README files |
$0.0 |
| 117 |
[Textile] XSS in project README files |
$0.0 |
| 118 |
[reStructuredText] XSS in project README files |
$0.0 |
| 119 |
Gitlab.com is vulnerable to reverse tabnabbing. |
$0.0 |
| 120 |
[Subgroups] Unprivileged User Can Disclose Private Group Names |
$0.0 |
| 121 |
[Repository Import] Open Redirect via "continue[to]" parameter |
$0.0 |
| 122 |
Open redirect |
$0.0 |
| 123 |
Unfiltered class attribute in markdown code |
$0.0 |
| 124 |
CSRF Token Bypass in Account Deletion |
$0.0 |
| 125 |
Markdown based stored XSS (IE only) |
$0.0 |
| 126 |
Stored XSS on Files overview by abusing git submodule URL |
$0.0 |
| 127 |
Gitlab.com is vulnerable to reverse tabnabbing via AsciiDoc links. (#3) |
$0.0 |
| 128 |
Gitlab.com is vulnerable to reverse tabnabbing. (#2) |
$0.0 |
| 129 |
GFM renderer leaks external issue tracker URL of private project |
$0.0 |
| 130 |
Missing/Breach of Internal Security Boundary - Access to Job Queue Results in Remote Code Execution |
$0.0 |
| 131 |
CSV injection in gitlab.com via issues export feature. |
$0.0 |
| 132 |
Gitlab is vulnerable to impersonation attacks due to broken links |
$0.0 |
| 133 |
Impersonation attack via Broken Link in Resellers Page |
$0.0 |
| 134 |
Access to GitLab's Slack by abusing issue creation from e-mail |
$0.0 |
| 135 |
all private tokens are leaked to an unauthenticated attacker |
$0.0 |
| 136 |
Race condition in GitLab import, giving access to other people their imports due to filename collision |
$0.0 |
| 137 |
CSRF-Token leak by request forgery |
$0.0 |
| 138 |
[Markdown] Stored XSS via character encoding parser bypass |
$0.0 |
| 139 |
SSRF vulnerability in gitlab.com via project import. |
$0.0 |
| 140 |
SSRF via git Repo by URL Abuse |
$0.0 |
| 141 |
Lack of validation before assigning custom domain names leading to abuse of GitLab pages service |
$0.0 |
| 142 |
Cookie bomb |
$0.0 |
| 143 |
SSRF vulnerability in gitlab.com webhook |
$0.0 |
| 144 |
SSRF when importing a project from a git repo by URL |
$0.0 |
| 145 |
XSS (Persistent) - Selecting role(s) for protected branches |
$0.0 |
| 146 |
Persistent XSS - Selecting users as allowed merge request approvers |
$0.0 |
| 147 |
Potensial SSRF via Git repository URL |
$0.0 |
| 148 |
HTML TAG INJECTION ON PROFILE NAME |
$0.0 |
| 149 |
Vulnerability in project import leads to arbitrary command execution |
$0.0 |
| 150 |
Persistent XSS - Deleting a project (No Longer Vulnerable in 10.7) |
$0.0 |
| 151 |
Stored XSS on Issue details page |
$0.0 |
| 152 |
Unauthorized users may be able to view almost all informations related to Private projects. |
$0.0 |
| 153 |
Stored XSS in merge request pages |
$0.0 |
| 154 |
Guests Will Disclose the Private Project Full Activity Via Project Activity Feeds |
$0.0 |
| 155 |
Inadequate cache control in gitter allows to view private chat room |
$0.0 |
| 156 |
Removing a user from a private group doesn't remove him from group's project, if his project's role was changed |
$0.0 |
| 157 |
SSRF in CI after first run |
$0.0 |
| 158 |
Full access to internal Gitlab instances at redash.gitlab.com, dashboards.gitlab.com, prometheus.gitlab.com |
$0.0 |
| 159 |
Attacker is able to access commit title and team member comments which are supposed to be private |
$0.0 |
| 160 |
Milestones leaked via search API |
$0.0 |
| 161 |
Access Projects And create projects in gitlab pre production server |
$0.0 |
| 162 |
Persistent XSS via e-mail when creating merge requests |
$0.0 |
| 163 |
Last build status and coverage leaked to unauthorized users |
$0.0 |
| 164 |
Stored XSS in Wiki pages |
$0.0 |
| 165 |
Add and Access to Labels of any Private Projects/Groups of Gitlab(IDOR) |
$0.0 |
| 166 |
Last pipeline status for MR leaked |
$0.0 |
| 167 |
Bypassing push rules via MRs created by Email |
$0.0 |
| 168 |
Clientside resource Exhausting by exploiting gitlab math rendering |
$0.0 |
| 169 |
Privilege escalation due to insecure use of logrotate |
$0.0 |
| 170 |
Know whether private project name exists or not within a group using link comments |
$0.0 |
| 171 |
GraphQL query "namespace" leaks data |
$0.0 |
| 172 |
Importing GitLab project archives can replace uploads of other users |
$0.0 |
| 173 |
GitLab::UrlBlocker validation bypass leading to full Server Side Request Forgery |
$0.0 |
| 174 |
Project Milestones Disclosed Via Groups When the Victim disabled milestones access in project settings |
$0.0 |
| 175 |
Head pipeline leaked to unauthorized users via blocking merge request feature |
$0.0 |
| 176 |
Container scanning and Dependency scanning report leaked to unauthorized users |
$0.0 |
| 177 |
Group search with Elastic search enable leaks unrelated data |
$0.0 |
| 178 |
Group search leaks private MRs, code, commits |
$0.0 |
| 179 |
Uncontrolled Resource Consumption in any Markdown field using Mermaid |
$0.0 |
| 180 |
Double linking cause XSS (but blokeced by CSP in gitlab.com) |
$0.0 |
| 181 |
Email notification about login email changed is not received when using verified linked email address |
$0.0 |
| 182 |
Server Side Request Forgery mitigation bypass |
$0.0 |
| 183 |
Send arbitrary PUT requests when user clicks on a link |
$0.0 |
| 184 |
Unrestricted file upload leads to Stored XSS |
$0.0 |
| 185 |
Stored XSS in blob viewer |
$0.0 |
| 186 |
Full Read SSRF on Gitlab's Internal Grafana |
$0.0 |
| 187 |
SSRF In plantuml (on plantuml.pre.gitlab.com) |
$0.0 |
| 188 |
Stealing data from customers.gitlab.com without user interaction |
$0.0 |
| 189 |
Privilege escalation from any user (including external) to gitlab admin when admin impersonates you |
$0.0 |
| 190 |
An attacker can run pipeline jobs as arbitrary user |
$0.0 |
| 191 |
SSRF into Shared Runner, by replacing dockerd with malicious server in Executor |
$0.0 |
| 192 |
Members from parent group keep their access level on a subgroup transfer and are invisible |
$0.0 |
| 193 |
Adding everyone to the repo due to the lack of rate limit |
$0.0 |
| 194 |
Transferring a public group to a private group doesn't remove code from the Elastichsearch API search result |
$0.0 |
| 195 |
Elasticsearch leaks data through the notes scope |
$0.0 |
| 196 |
Possibilty to purchase Ultimate - 1 Year (EDU or OSS) |
$0.0 |
| 197 |
Todos are not redacted when membership changes - Access to (confidential) issues and merge requests |
$0.0 |
| 198 |
Insufficient Type Check on GraphQL leading to Maintainer delete repository |
$0.0 |
| 199 |
Insufficient Type Check leading to Developer ability to delete Project, Repository, Group, ... |
$0.0 |
| 200 |
GitLab-Runner on Windows DOCKER_AUTH_CONFIG container host Command Injection |
$0.0 |
| 201 |
Unauthorized access to private project security dashboard |
$0.0 |
| 202 |
XSS on Issue reference numbers |
$0.0 |
| 203 |
CRLF injection & SSRF in git:// protocal lead to arbitrary code execution |
$0.0 |
| 204 |
Unauthorized user is able to access schedule pipeline variables and values |
$0.0 |
| 205 |
Store-XSS in error message of build-dependencies |
$0.0 |
| 206 |
Able to leak private email of any user given his/her username via graphql |
$0.0 |
| 207 |
Remote hacker can download all the files of master branch in public projects where everything is members only. |
$0.0 |
| 208 |
GraphQL Query leads to sensitive information disclosure |
$0.0 |
| 209 |
[information disclosure] Validate existence of a private project. |
$0.0 |
| 210 |
Ability To Delete User(s) Account Without User Interaction |
$0.0 |
| 211 |
Kroki Arbitrary File Read/Write |
$0.0 |
| 212 |
Responsible Disclosure of Privacy Leakage Issue |
$0.0 |
| 213 |
Stored-XSS on wiki pages |
$0.0 |
| 214 |
Stored-XSS in merge requests |
$0.0 |
| 215 |
FogBugz import attachment full SSRF requiring vulnerability in *.fogbugz.com |
$0.0 |
| 216 |
Stored-XSS in merge requests |
$0.0 |
| 217 |
Clipboard DOM-based XSS |
$0.0 |
| 218 |
Stored XSS in Mermaid when viewing Markdown files |
$0.0 |
| 219 |
Use of Ruby Forwardable module and runtime meta-programming may introduce vulnerabilities |
$0.0 |
| 220 |
Cache poisoning Denial of Service affecting assets.gitlab-static.net |
$0.0 |
| 221 |
Sending Arbitrary Requests through Jupyter Notebooks on gitlab.com and Self-Hosted GitLab Instances |
$0.0 |
| 222 |
Container escape on public GitLab CI runners |
$0.0 |
| 223 |
Bypass for Domain-level redirects (Unvalidated Redirects and Forwar) |
$0.0 |
| 224 |
Exposure of a valid Gitlab-Workhorse JWT leading to various bad things |
$0.0 |
| 225 |
Able to view hackerone reports attachments |
$0.0 |
| 226 |
Stored XSS for Grafana dashboard URL |
$0.0 |
| 227 |
Found Origin IP's lead to access to gitlab |
$0.0 |
| 228 |
Unauthorized access |
$0.0 |
| 229 |
ReDoS in net/http affects webhooks: Sidekiq job stuck at 100% CPU for a year |
$0.0 |
| 230 |
No Restriction on password |
$0.0 |
| 231 |
Path paths and file disclosure vulnerabilities at influxdb.quality.gitlab.net |
$0.0 |
| 232 |
XSS: v-safe-html is not safe enough |
$0.0 |
| 233 |
CSP-bypass XSS in project settings page |
$0.0 |
| 234 |
RCE via github import |
$0.0 |
| 235 |
Dependecy Confusion via Lookup Request Forwarding to PyPi.org |
$0.0 |
| 236 |
Bypass: Stored-XSS with CSP-bypass via scoped labels' color |
$0.0 |
| 237 |
Stored-XSS with CSP-bypass via labels' color |
$0.0 |
| 238 |
Blind SSRF in FogBugz project import |
$0.0 |
| 239 |
Arbitrary escape sequence injection in docker-machine from worker nodes |
$0.0 |
| 240 |
Stored-XSS injected in Wiki page via Banzai pipeline |
$0.0 |
| 241 |
Login email verification bypass via /oauth/token. |
$0.0 |
| 242 |
Removed Guest role user who dosent have access to private project in members able to view jobs |
$0.0 |
| 243 |
ReDoS due to device-detector parsing user agents |
$0.0 |
| 244 |
Maintainer can leak sentry token by changing the configured URL (fix bypass) |
$0.0 |
| 245 |
Subdomain takeover in Gitlab pages |
$0.0 |
| 246 |
DOS: taking down a 1k users Gitlab EE instance or multiple Sidekiq instances by importing a malicious repo from a Github EE self-hosted server |
$0.0 |