This module exploits an issue in GitLab CE/EE that allows sending reset emails to an unverified email address. In order to takeover the account, the module will exploit the vulnerability adding the attacker's email to the JSON from /users/password endpoint, then it will connect via IMAP to the attacker's email, parse the reset email and change the password.
CVE Link
Exploit Platform
Product Name