Attacker is able to access commit title and team member comments which are supposed to be private
HackerOne report #502593 by
yashrs on 2019-02-27, assigned to
Summary: [add summary of the vulnerability]
Description: [add more details about this vulnerability]
Steps To Reproduce:
Create a project from account firstname.lastname@example.org with the following permissions:
Note that the project visibility should be
From victim account, comment on any commit, and you should receive it's notification on email@example.com, like this:
As you can see, the message of the commit, team members who commented, what the comment was, everything is visible from the email received. This shouldn't be sent via email because the settings selected for repository is 'Only Team Members' whereas firstname.lastname@example.org is not a team member.
I have tried my best to have perfect steps to reproduce this, still do tell me if you need more info :)
An attacker will be able to view any commit titles, and all comments which shouldn't be visible to him using this vulnerability
Warning: Attachments received through HackerOne, please exercise caution!