AVG-2125 log

RDoc before version 6.3.1, as bundled with Ruby before version 2.7.4 and 2.6.8 as well as GitLab before version 14.0.2, used to call Kernel#open to open a...

HTML injection was possible via the full name field before version 14.0.2 in GitLab CE.

A denial of service on the user's profile page is found starting with GitLab CE/EE 8.0 and before 14.0.2 that allows an attacker to reject access to their...

Improper code rendering while rendering merge requests could be exploited to submit malicious code. This vulnerability affects GitLab CE/EE 9.3 and later up...

An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.8 and before 14.0.2. Under a special condition it was possible to...

An issue has been discovered in GitLab affecting all versions before 14.0.2. Improper access control allows unauthorised users to access project details...

A reflected cross-site script vulnerability in GitLab before version 14.0.2 allowed an attacker to send a malicious link to a victim and trigger actions on...

Under certain conditions, some users were able to push to protected branches that were restricted to deploy keys in GitLab CE/EE since version 13.9 and...

Insufficient input sanitization in markdown in GitLab version 13.11 and up before version 14.0.2 allows an attacker to exploit a stored cross-site scripting...

A cross-site request forgery vulnerability in the GraphQL API in GitLab since version 13.12 and before version 14.0.2 allowed an attacker to call mutations...

Client-Side code injection through a Feature Flag name in GitLab CE/EE starting with 11.9 and before version 14.0.2 allows a specially crafted feature flag...

https://about.gitlab.com/releases/2021/07/01/security-release-gitlab-14-0-2-released/