GitLab


157 total issues disclosed

$441,210 total paid publicly


Most disclosed (24 disclosures) — Cross-site Scripting (XSS) - Stored

View disclosed reports



Disclosed Reports


Report Title Vulnerability Type Disclosed By Severity Disclosed on
Stored XSS via Mermaid Prototype Pollution vulnerability Cross-site Scripting (XSS) - Stored misha98857 High 2021-11-18
ReDoS in syntax highlighting due to Rouge Denial of Service doyensec Medium 2021-11-15
Use of Ruby Forwardable module and runtime meta-programming may introduce vulnerabilities Information Disclosure jobert Medium 2021-11-15
Drive-by arbitrary file deletion in the GDK via letter_opener_web gem Cross-Site Request Forgery (CSRF) vakzz Medium 2021-11-12
Stored XSS in Mermaid when viewing Markdown files Cross-site Scripting (XSS) - DOM saleemrashid High 2021-10-18
Reporters can upload design to issues using the "Move to" feature Privilege Escalation maruthi12 Medium 2021-10-18
Stored XSS in markdown via the DesignReferenceFilter Cross-site Scripting (XSS) - Stored vakzz Critical 2021-10-18
Privilege escalation of "external user" (with maintainer privilege) to internal access through project token Privilege Escalation joaxcar Medium 2021-10-11
Stored XSS in main page of a project caused by arbitrary script payload in group "Default initial branch name" Cross-site Scripting (XSS) - Stored joaxcar High 2021-09-15
Guest users can create new test cases Privilege Escalation maruthi12 Medium 2021-08-30
A deactivated user can access data through GraphQL Improper Access Control - Generic joaxcar Medium 2021-08-30
A profile page of a user can be denied from loading by appending .html to the username Violation of Secure Design Principles maruthi12 Low 2021-08-30
When you call your branch the same name as a git hash, it could be checked out by dependents Resource Injection retroplasma Medium 2021-08-19
Clipboard DOM-based XSS Cross-site Scripting (XSS) - DOM vovohelo Medium 2021-08-19
CSRF on /api/graphql allows executing mutations through GET requests Cross-Site Request Forgery (CSRF) az3z3l High 2021-08-02
Stored-XSS in merge requests Cross-site Scripting (XSS) - Reflected ba5d2d132de8622c890dd60 None 2021-07-19
Stored XSS in custom emoji Cross-site Scripting (XSS) - Stored ooooooo_q High 2021-07-19
FogBugz import attachment full SSRF requiring vulnerability in *.fogbugz.com Server-Side Request Forgery (SSRF) ajxchapman High 2021-07-13
Stored-XSS on wiki pages Cross-site Scripting (XSS) - Stored yvvdwf Medium 2021-07-13
Stored-XSS in merge requests Cross-site Scripting (XSS) - Stored yvvdwf High 2021-07-13
Stored XSS via Mermaid Prototype Pollution vulnerability Cross-site Scripting (XSS) - Stored taraszelyk High 2021-07-12
Stored DOM XSS via Mermaid chart Cross-site Scripting (XSS) - Stored taraszelyk High 2021-07-12
Arbitrary file read during project import Path Traversal saltyyolk Critical 2021-05-24
Kroki Arbitrary File Read/Write Improper Access Control - Generic ledz1996 High 2021-05-21
RCE when removing metadata with ExifTool Code Injection vakzz Critical 2021-05-14
XSS in request approvals Cross-site Scripting (XSS) - Stored circuit Medium 2021-04-23
RCE via unsafe inline Kramdown options when rendering certain Wiki pages Code Injection vakzz Critical 2021-04-20
Ability To Delete User(s) Account Without User Interaction Misconfiguration hx01 High 2021-03-17
XSS on Issue reference numbers Cross-site Scripting (XSS) - DOM yvvdwf Medium 2020-11-23
CRLF injection & SSRF in git:// protocal lead to arbitrary code execution Server-Side Request Forgery (SSRF) chromium1337 High 2020-11-23
Unauthorized access to private project security dashboard Information Disclosure vaib25vicky Medium 2020-11-21
Stored XSS in group issue list Cross-site Scripting (XSS) - Stored mike12 Medium 2020-11-21
Guest users can change the confidentiality attribute on those issues that have been assigned to them Improper Access Control - Generic 0xwintermute Low 2020-11-09
GitLab-Runner on Windows `DOCKER_AUTH_CONFIG` container host Command Injection OS Command Injection ajxchapman High 2020-11-04
Instant open redirect on Live preview WEB Ide opening Open Redirect chaosbolt Low 2020-11-04
SafeParamsHelper::safe_params is not so safe Cross-site Scripting (XSS) - Reflected vakzz High 2020-11-02
Possibilty to purchase Ultimate - 1 Year (EDU or OSS) Business Logic Errors steppe Low 2020-11-02
Insufficient Type Check leading to Developer ability to delete Project, Repository, Group, ... Type Confusion ledz1996 High 2020-11-02
Insufficient Type Check on GraphQL leading to Maintainer delete repository Improper Access Control - Generic ledz1996 High 2020-11-02
Todos are not redacted when membership changes - Access to (confidential) issues and merge requests Information Disclosure vaib25vicky Medium 2020-11-02
Transferring a public group to a private group doesn't remove code from the Elastichsearch API search result Improper Access Control - Generic rpadovani Medium 2020-10-06
Elasticsearch leaks data through the notes scope Improper Access Control - Generic rpadovani Medium 2020-10-06
Ability to bypass email verification for OAuth grants results in accounts takeovers on 3rd parties Authentication Bypass Using an Alternate Path or Channel cache-money High 2020-10-01
Adding everyone to the repo due to the lack of rate limit Insecure Direct Object Reference (IDOR) sadd_man High 2020-09-15
Stored XSS in markdown when redacting references Cross-site Scripting (XSS) - Stored vakzz High 2020-09-09
Stored XSS on PyPi simple API endpoint Cross-site Scripting (XSS) - Stored vakzz Medium 2020-09-09
SSRF into Shared Runner, by replacing dockerd with malicious server in Executor Server-Side Request Forgery (SSRF) lucash-dev Medium 2020-09-08
Members from parent group keep their access level on a subgroup transfer and are invisible Improper Access Control - Generic kryword High 2020-09-08
EXIF metadata not stripped from JPG group logos Information Disclosure jackb898 Low 2020-09-08
Injection of `http.<url>.*` git config settings leading to SSRF Server-Side Request Forgery (SSRF) vakzz High 2020-09-08
Stealing data from customers.gitlab.com without user interaction Insecure Direct Object Reference (IDOR) rpadovani High 2020-08-26
Initial mirror user can be assigned by other user even if the mirror was removed Improper Access Control - Generic sky003 Medium 2020-08-26
An attacker can run pipeline jobs as arbitrary user Business Logic Errors u3mur4 Critical 2020-08-26
Privilege escalation from any user (including external) to gitlab admin when admin impersonates you Privilege Escalation skavans Critical 2020-08-26
Stored XSS in "Create Groups" Cross-site Scripting (XSS) - Stored rioncool22 High 2020-08-26
SSRF In plantuml (on plantuml.pre.gitlab.com) Server-Side Request Forgery (SSRF) plazmaz Medium 2020-08-17
Full Read SSRF on Gitlab's Internal Grafana Server-Side Request Forgery (SSRF) rhynorater Critical 2020-08-07
Stored XSS in blob viewer Cross-site Scripting (XSS) - Stored yvvdwf Medium 2020-08-04
Unrestricted file upload leads to Stored XSS Cross-site Scripting (XSS) - Stored semsem123 Medium 2020-08-03
Send arbitrary PUT requests when user clicks on a link Command Injection - Generic yvvdwf Medium 2020-07-27
gitlab-workhorse bypass in Gitlab::Middleware::Multipart allowing files in `allowed_paths` to be read Information Disclosure vakzz Critical 2020-06-08
SSRF on project import via the remote_attachment_url on a Note Server-Side Request Forgery (SSRF) vakzz High 2020-06-08
No redirect_uri in the db for web-internal clientKey leads to one-click DoS on gitter.im Denial of Service gregxsunday Low 2020-05-15
Arbitrary file read via the UploadsRewriter when moving and issue Path Traversal vakzz Critical 2020-04-27
Server Side Request Forgery mitigation bypass Server-Side Request Forgery (SSRF) mclaren650sspider High 2020-04-18
Git flag injection leading to file overwrite and potential remote code execution Command Injection - Generic vakzz Critical 2019-12-19
Git flag injection - local file overwrite to remote code execution Command Injection - Generic vakzz Critical 2019-12-19
Cross-site Scripting (XSS) - Stored in RDoc wiki pages UI Redressing (Clickjacking) vakzz High 2019-12-16
Git flag injection - Search API with scope 'blobs' Command Injection - Generic vakzz High 2019-12-15
Group search with Elastic search enable leaks unrelated data Improper Access Control - Generic rpadovani High 2019-12-14
Group search leaks private MRs, code, commits Improper Access Control - Generic rpadovani High 2019-12-14
Bypass Email Verification using Salesforce -- Reproducible in gitlab.com Violation of Secure Design Principles ngalog High 2019-12-13
GitLab::UrlBlocker validation bypass leading to full Server Side Request Forgery Server-Side Request Forgery (SSRF) ajxchapman High 2019-12-12
Importing GitLab project archives can replace uploads of other users Insecure Direct Object Reference (IDOR) ajxchapman High 2019-12-11
GraphQL query "namespace" leaks data Improper Access Control - Generic rpadovani Medium 2019-12-03
Project Template functionality can be used to copy private project data, such as repository, confidential issues, snippets, and merge requests Privilege Escalation jobert Critical 2019-11-27
DoS attack via comment on Issue Denial of Service 8ayac Low 2019-11-21
Know whether private project name exists or not within a group using link comments Information Disclosure ashish_r_padelkar Low 2019-10-07
Stored XSS in Wiki pages Cross-site Scripting (XSS) - Stored ryhmnlfj High 2019-09-02
Bypass Email Verification -- Able to Access Internal Gitlab Services that use Login with Gitlab and Perform Check on email domain Reliance on Untrusted Inputs in a Security Decision ngalog Medium 2019-08-31
Persistent XSS in Note objects Cross-site Scripting (XSS) - Stored saltyyolk High 2019-07-19
Local files could be overwritten in GitLab, leading to remote command execution Command Injection - Generic saltyyolk Critical 2019-07-17
Attacker is able to access commit title and team member comments which are supposed to be private Improper Access Control - Generic yashrs High 2019-07-03
information disclosure of secret_key_base via encoding charcters Information Exposure Through an Error Message paresh_parmar High 2019-06-14
information disclosure of secret_key_base via encoding charcters Information Exposure Through an Error Message paresh_parmar High 2019-06-14
information disclosure of secret_key_base via encoding charcters Information Exposure Through an Error Message paresh_parmar High 2019-06-14
DoS on the Issue page by exploiting Mermaid. Denial of Service 8ayac Medium 2019-05-13
JSON serialization of any Project model results in all Runner tokens being exposed through Quick Actions Information Disclosure jobert Critical 2019-04-20
Full access to internal Gitlab instances at redash.gitlab.com, dashboards.gitlab.com, prometheus.gitlab.com Incorrect Authorization rijalrojan Critical 2019-04-19
SSRF in CI after first run Server-Side Request Forgery (SSRF) plazmaz Medium 2019-04-12
Bypass of GitLab CI runner slash fix in YAML validation Improper Input Validation ngalog Critical 2019-04-10
Unauthenticated blind SSRF in OAuth Jira authorization controller Server-Side Request Forgery (SSRF) jobert High 2019-03-14
Exfiltrate and mutate repository and project data through injected templated service Improper Access Control - Generic jobert Critical 2019-03-05
Snippet JS template allows attacker to read a user's private snippets Information Disclosure jobert Low 2019-03-03
Stored XSS on Issue details page Cross-site Scripting (XSS) - Stored 8ayac High 2018-10-30
Persistent XSS - Deleting a project (No Longer Vulnerable in 10.7) Cross-site Scripting (XSS) - Stored phillycheeze Medium 2018-09-20
Vulnerability in project import leads to arbitrary command execution Command Injection - Generic nyangawa Critical 2018-08-22
HTML TAG INJECTION ON PROFILE NAME Cross-site Scripting (XSS) - Stored rootbakar_ Low 2018-07-27
Potensial SSRF via Git repository URL Server-Side Request Forgery (SSRF) rootbakar Medium 2018-07-16
Persistent XSS - Selecting users as allowed merge request approvers Cross-site Scripting (XSS) - Stored phillycheeze Medium 2018-07-16
XSS (Persistent) - Selecting role(s) for protected branches Cross-site Scripting (XSS) - Stored phillycheeze High 2018-07-16
SSRF when importing a project from a git repo by URL Information Disclosure strukt No rating 2018-05-30
GitHub import allows user to create child group under existing namespace Improper Access Control - Generic jobert High 2018-05-24
SSRF vulnerability in gitlab.com webhook Server-Side Request Forgery (SSRF) wuqidashi Medium 2018-04-30
SQL injection in MilestoneFinder order method SQL Injection jobert Critical 2018-04-27
GitLab CI runner can read and poison cache of all other projects Path Traversal jobert Critical 2018-04-27
Evaluating Ruby code by injecting Rescue job on the system_hook_push queue through web hook Server-Side Request Forgery (SSRF) jobert High 2018-04-27
Command injection by overwriting authorized_keys file through GitLab import Command Injection - Generic jobert Critical 2018-04-27
Using GitLab to monitor and hijack domains in mass quantity. Business Logic Errors edoverflow High 2018-02-22
Cookie bomb Denial of Service moritz30 Medium 2018-02-16
Lack of validation before assigning custom domain names leading to abuse of GitLab pages service Phishing badshah_ Medium 2018-02-02
SSRF via git Repo by URL Abuse Server-Side Request Forgery (SSRF) nthack Medium 2017-11-28
SSRF vulnerability in gitlab.com via project import. Server-Side Request Forgery (SSRF) edoverflow Medium 2017-11-09
[Markdown] Stored XSS via character encoding parser bypass Cross-site Scripting (XSS) - Stored ysx Medium 2017-10-18
CSRF-Token leak by request forgery Cross-Site Request Forgery (CSRF) naure Medium 2017-10-09
Race condition in GitLab import, giving access to other people their imports due to filename collision Information Disclosure jobert Low 2017-10-03
all private tokens are leaked to an unauthenticated attacker Privilege Escalation rpearl Critical 2017-09-21
Access to GitLab's Slack by abusing issue creation from e-mail Improper Authentication - Generic intidc Critical 2017-09-21
Impersonation attack via Broken Link in Resellers Page Violation of Secure Design Principles cdl Low 2017-09-08
Gitlab is vulnerable to impersonation attacks due to broken links Violation of Secure Design Principles b3nac Low 2017-09-06
CSV injection in gitlab.com via issues export feature. Command Injection - Generic edoverflow Medium 2017-07-21
Missing/Breach of Internal Security Boundary - Access to Job Queue Results in Remote Code Execution Violation of Secure Design Principles pruby Low 2017-06-28
GFM renderer leaks external issue tracker URL of private project Information Disclosure jobert No rating 2017-06-09
Gitlab.com is vulnerable to reverse tabnabbing. (#2) UI Redressing (Clickjacking) edoverflow Medium 2017-05-09
Gitlab.com is vulnerable to reverse tabnabbing via AsciiDoc links. (#3) UI Redressing (Clickjacking) edoverflow Medium 2017-05-09
Stored XSS on Files overview by abusing git submodule URL Cross-site Scripting (XSS) - Stored jobert High 2017-05-09
Markdown based stored XSS (IE only) Cross-site Scripting (XSS) - Generic a0xnirudh No rating 2017-05-04
CSRF Token Bypass in Account Deletion Cross-Site Request Forgery (CSRF) 7h0r4pp4n Low 2017-04-20
Unfiltered `class` attribute in markdown code Cross-site Scripting (XSS) - DOM chalker Medium 2017-04-13
Open redirect Open Redirect eadz Medium 2017-04-06
[Repository Import] Open Redirect via "continue[to]" parameter Open Redirect ysx Medium 2017-04-06
[Subgroups] Unprivileged User Can Disclose Private Group Names Insecure Direct Object Reference (IDOR) ysx Medium 2017-03-30
Gitlab.com is vulnerable to reverse tabnabbing. Open Redirect edoverflow Low 2017-03-21
[reStructuredText] XSS in project README files Cross-site Scripting (XSS) - Generic ysx Medium 2017-02-15
[Textile] XSS in project README files Cross-site Scripting (XSS) - Generic ysx Medium 2017-02-15
[RDoc] XSS in project README files Cross-site Scripting (XSS) - Generic ysx Medium 2017-02-15
Users can download old project exports due to unclaimed namespace Information Disclosure jobert Medium 2017-01-24
Every user can delete public deploy keys Privilege Escalation jobert Medium 2017-01-24
User with guest access can access private merge requests Privilege Escalation jobert Medium 2017-01-24
Users with guest access can post notes to private merge requests, issues, and snippets Privilege Escalation jobert Medium 2017-01-24
Mailgun misconfiguration leads to email snooping and [email protected] on email.mg.gitlab.com Privilege Escalation fransrosen No rating 2016-12-06
State filter in IssuableFinder allows attacker to delete all issues and merge requests Privilege Escalation jobert High 2016-12-06
Ability to access all user authentication tokens, leads to RCE Privilege Escalation jobert Critical 2016-11-03
Read files on application server, leads to RCE Information Disclosure jobert Critical 2016-11-03
Insecure 2FA/authentication implementation creates a brute force vulnerability Violation of Secure Design Principles yaworsk No rating 2016-10-28
Boards leak private label names and desciptions Information Disclosure jobert No rating 2016-09-02
XSS On meta tags in profile page Cross-site Scripting (XSS) - Generic plazmaz No rating 2016-08-21
Attacker can extract list of private project's project members Information Disclosure jobert No rating 2016-08-01
Persistent XSS on public wiki pages Cross-site Scripting (XSS) - Generic jobert No rating 2016-07-27
Privilege escalation to access all private groups and repositories Privilege Escalation jobert No rating 2016-07-27
Attacker can delete (and read) private project webhooks Privilege Escalation jobert No rating 2016-05-03
Attacker can post notes on private MR, snippets, and issues Privilege Escalation jobert No rating 2016-05-03
Confidential issues leaked in public projects when attached to milestone Information Disclosure jobert No rating 2016-05-03
Private snippets in public / internal projects leaked though GitLab API Information Disclosure jobert No rating 2016-05-03
Persistent XSS on public project page Cross-site Scripting (XSS) - Generic jobert No rating 2016-05-03
Labels created in private projects are leaked Information Disclosure jobert No rating 2016-05-03
Bypassing password authentication of users that have 2FA enabled Improper Authentication - Generic jobert No rating 2016-04-18