HTML injection was possible via the full name field prior to 13.11.6, 13.12.6, and 14.0.2 in GitLab CE
gitlab gitlab