A security issue has been found in GitLab before version 14.0.2. Client-Side code injection through Feature Flag name starting with GitLab CE/EE 11.9 allows a specially crafted feature flag name to PUT requests on behalf of other users via clicking on a link.
A security issue has been found in GitLab before version 14.0.2. Client-Side code injection through Feature Flag name starting with GitLab CE/EE 11.9 allows a specially crafted feature flag name to PUT requests on behalf of other users via clicking on a link.
https://about.gitlab.com/releases/2021/07/01/security-release-gitlab-14-0-2-released/#stored-xss-on-audit-log