Stored XSS in merge request creation page
Denial-of-service attack in Markdown parser
Stored Cross-Site Scripting vulnerability in the GitLab Flavored Markdown
DNS Rebinding vulnerability in Gitea importer
Exposure of trigger tokens on project exports
Improper access control for users with expired password
Access tokens are not cleared after impersonation
Reflected Cross-Site Scripting in Jira Integration
DNS Rebinding vulnerability in Fogbugz importer
Access tokens persist after project deletion
User enumeration vulnerability
Potential DOS via API requests
Pending invitations of public groups and public projects are visible to any user
Bypass Disabled Repo by URL Project Creation
Low privileged users can see names of the private groups shared in projects
API discloses sensitive info to low privileged users
Epic listing do not honour group memberships
Insecure Direct Object Reference vulnerability may lead to protected branch names getting disclosed
Low privileged users can import users from projects that they they are not a maintainer on
Potential DOS via dependencies API
Create a project with unlimited repository size through malicious Project Import
Bypass disabled Bitbucket Server import source project creation
Requirement to enforce 2FA is not honored when using git commands
Content spoofing vulnerability
Improper session management in impersonation feature
Create OAuth application with arbitrary scopes through content spoofing
Lack of account lockout on change password functionality
Epic reference was not updated while moved between groups
Missing authentication allows disabling of two-factor authentication
Information disclosure in SendEntry