Fransrosen

**Name of the Vulnerable Software and Affected Versions** GitLab Community and Enterprise Edition versions 11.1.7 and earlier, 11.2.x through 11.2.3, 11.3.x through 11.3.0 **Description** An issue was discovered in GitLab Community and Enterprise Edition, where blog-viewer has stored XSS during repository browsing, if package.json exists. **Recommendations** For versions 11.1.7 and earlier, update to version 11.1.7 or later. For versions 11.2.x through 11.2.3, update to version 11.2.4 or later. For versions 11.3.x through 11.3.0, update to version 11.3.1 or later. As a temporary workaround, consider restricting access to the blog-viewer feature until a patch is available.

**Name of the Vulnerable Software and Affected Versions** GitLab CE/EE versions 7.6 up to 11.3.10 GitLab CE/EE versions 11.4 up to 11.4.7 GitLab CE/EE versions 11.5 up to 11.5.0 **Description** The issue is related to an XSS vulnerability in the OAuth authorization page. **Recommendations** For GitLab CE/EE versions 7.6 up to 11.3.10, update to version 11.3.11 or later. For GitLab CE/EE versions 11.4 up to 11.4.7, update to version 11.4.8 or later. For GitLab CE/EE versions 11.5 up to 11.5.0, update to version 11.5.1 or later.

**Name of the Vulnerable Software and Affected Versions** GitLab CE/EE versions 10.3 through 11.5 before 11.5.1 GitLab CE/EE version 11.4 before 11.4.8 GitLab CE/EE version 11.3 before 11.3.11 **Description** The issue is related to an XSS vulnerability in Markdown fields via Mermaid. **Recommendations** For GitLab CE/EE versions 10.3 through 11.3 before 11.3.11, update to version 11.3.11 or later. For GitLab CE/EE version 11.4 before 11.4.8, update to version 11.4.8 or later. For GitLab CE/EE version 11.5 before 11.5.1, update to version 11.5.1 or later.

**Name of the Vulnerable Software and Affected Versions** GitLab Community Edition versions prior to 10.7.6 GitLab Community Edition versions 10.8.x prior to 10.8.5 GitLab Community Edition versions 11.x prior to 11.0.1 GitLab Enterprise Edition versions prior to 10.7.6 GitLab Enterprise Edition versions 10.8.x prior to 10.8.5 GitLab Enterprise Edition versions 11.x prior to 11.0.1 **Description** The issue is related to a persistent XSS problem in the charts feature due to a lack of output encoding. **Recommendations** For GitLab Community Edition versions prior to 10.7.6, update to version 10.7.6 or later. For GitLab Community Edition versions 10.8.x prior to 10.8.5, update to version 10.8.5 or later. For GitLab Community Edition versions 11.x prior to 11.0.1, update to version 11.0.1 or later. For GitLab Enterprise Edition versions prior to 10.7.6, update to version 10.7.6 or later. For GitLab Enterprise Edition versions 10.8.x prior to 10.8.5, update to version 10.8.5 or later. For GitLab Enterprise Edition versions 11.x prior to 11.0.1, update to version 11.0.1 or later.

**Name of the Vulnerable Software and Affected Versions** GitLab Community and Enterprise Edition versions prior to 10.8.7 GitLab Community and Enterprise Edition versions 11.0.x prior to 11.0.5 GitLab Community and Enterprise Edition versions 11.1.x prior to 11.1.2 **Description** An issue allows XSS to occur in the branch name during a Web IDE file commit. **Recommendations** For versions prior to 10.8.7, update to version 10.8.7 or later. For versions 11.0.x prior to 11.0.5, update to version 11.0.5 or later. For versions 11.1.x prior to 11.1.2, update to version 11.1.2 or later.

**Name of the Vulnerable Software and Affected Versions** GitLab Community and Enterprise Edition versions prior to 10.8.7 GitLab Community and Enterprise Edition versions 11.0.x prior to 11.0.5 GitLab Community and Enterprise Edition versions 11.1.x prior to 11.1.2 **Description** An issue allows XSS to occur via a Milestone name during a promotion. **Recommendations** For versions prior to 10.8.7, update to version 10.8.7 or later. For versions 11.0.x prior to 11.0.5, update to version 11.0.5 or later. For versions 11.1.x prior to 11.1.2, update to version 11.1.2 or later.

**Name of the Vulnerable Software and Affected Versions** GitLab Community and Enterprise Editions versions 8.4 up to 10.4 **Description** The issue is caused by a lack of input validation in the merge request component, specifically in filenames in changes tabs of merge requests, leading to cross-site scripting (XSS). **Recommendations** For versions 8.4 up to 10.4, update to version 10.6.3, 10.5.7, or 10.4.7 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** ownCloud Server versions prior to 9.0.4 Nextcloud Server versions prior to 9.0.52 **Description** A cross-site scripting (XSS) issue exists in the gallery application of ownCloud and Nextcloud servers, specifically in the share.js file. This allows remote authenticated users to inject arbitrary web script or HTML via a crafted directory name. **Recommendations** For ownCloud Server versions prior to 9.0.4, update to version 9.0.4 or later. For Nextcloud Server versions prior to 9.0.52, update to version 9.0.52 or later.