Insufficient validation of authentication parameters in GitLab Pages for GitLab 11.5+ would allow stealing a user's API access token. The issue is mitigated in GitLab version 13.7.2, 13.6.4, and 13.5.6. Note: A way to bypass the fix released in GitLab version 13.7.2, 13.6.4, and 13.5.6 has been found and was subsequently fixed in version 13.7.4, 13.6.5, and 13.5.7.
Insufficient validation of authentication parameters in GitLab Pages for GitLab 11.5+ would allow stealing a user's API access token. The issue is mitigated in GitLab version 13.7.2, 13.6.4, and 13.5.6. Note: A way to bypass the fix released in GitLab version 13.7.2, 13.6.4, and 13.5.6 has been found and was subsequently fixed in version 13.7.4, 13.6.5, and 13.5.7.
https://about.gitlab.com/releases/2021/01/07/security-release-gitlab-13-7-2-released/#ability-to-steal-a-users-api-access-token-through-gitlab-pages https://gitlab.com/gitlab-org/gitlab-foss/-/commit/fa70ce1068babe592d348497c772f1b5160cbb6e https://gitlab.com/gitlab-org/gitlab-foss/-/commit/e861919633e0aac16509c0415f71eda69902bff9