HTML injection was possible via the full name field before versions 13.11.6, 13.12.6, and 14.0.2 in GitLab CE
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Gitlab | Gitlab | 9.5.0 (including) | 13.11.6 (excluding) |
Gitlab | Gitlab | 13.12.0 (including) | 13.12.6 (excluding) |
Gitlab | Gitlab | 14.0.0 (including) | 14.0.2 (excluding) |
Gitlab | Ubuntu | esm-apps/xenial | * |
Gitlab | Ubuntu | xenial | * |