Attacker makes comments on private commits and private issues and other private areas also.

HackerOne report #635744 by uzsunny on 2019-07-04, assigned to gitlab_cmaxim:

Reproduction steps:

This issue is similar to this one

Create a public group and public project on gitlab.com

Now attacker will enable the group watch notifications for a group only.

for example

Next attacker will create comments on public project commits which are created by the group.

Next attacker will create comments on public project issues which are created by the group.

Now victim changes the project visibility from public to internal.

Make the project issues and commits which are only accessible to the members of the project.

If the attacker tries to visit the commits link he may see not found page.

But attacker will add comments via email by replying to his emails

when ever victim checks his private commits page the comments are added by the attacker.

Same thing if he visits issues and issues may not visible to the attacker and he will see 404 not found page.

But he will add issue comments and reply to discussions via email.

When ever victim checks issue page the comments are added by the attacker.

Where ever the discussions and comments are available in the internal project the attacker will add the comments.

Attacker will add the comments on issues and private commits by email which are not supposed to do.

Attacker will comment where ever the discussions are available in all areas of the internal project.

Warning: Attachments received through HackerOne, please exercise caution!