Mario-Areias

**Name of the Vulnerable Software and Affected Versions** GitLab Community and Enterprise Edition versions 11.8.x through 11.8.8 GitLab Community and Enterprise Edition versions 11.9.x through 11.9.9 GitLab Community and Enterprise Edition versions 11.10.x through 11.10.1 **Description** The issue is related to improper encoding or escaping of output, which could potentially lead to XSS issues. Specifically, the branch name on new merge request notification emails is not escaped. **Recommendations** For GitLab Community and Enterprise Edition versions 11.8.x through 11.8.8, update to version 11.8.9 or later. For GitLab Community and Enterprise Edition versions 11.9.x through 11.9.9, update to version 11.9.10 or later. For GitLab Community and Enterprise Edition versions 11.10.x through 11.10.1, update to version 11.10.2 or later.

**Name of the Vulnerable Software and Affected Versions** GitLab Community and Enterprise Edition versions prior to 11.8.9 **Description** The issue is related to Incorrect Access Control, allowing unprivileged members of a project to post comments on confidential issues. This is due to an authorization issue in the note endpoint, specifically the `/note` endpoint. **Recommendations** For versions prior to 11.8.9, update to version 11.8.9 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** GitLab versions prior to 11.11.6 GitLab versions prior to 12.0.4 GitLab versions prior to 12.1.2 **Description** An issue with input validation and output encoding was found in the email notification feature, potentially leading to a persistent XSS. **Recommendations** For versions prior to 11.11.6, update to version 11.11.6 or later. For versions prior to 12.0.4, update to version 12.0.4 or later. For versions prior to 12.1.2, update to version 12.1.2 or later.