An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4. It was possible to exploit a stored cross-site-scripting in merge request via a specifically crafted branch name.
{
"versions": [
{
"introduced": "13.4.0"
},
{
"fixed": "13.8.7"
},
{
"introduced": "13.4.0"
},
{
"fixed": "13.8.7"
},
{
"introduced": "13.9.0"
},
{
"fixed": "13.9.5"
},
{
"introduced": "13.9.0"
},
{
"fixed": "13.9.5"
},
{
"introduced": "13.10.0"
},
{
"fixed": "13.10.1"
},
{
"introduced": "13.10.0"
},
{
"fixed": "13.10.1"
}
]
}