Johan

**Name of the Vulnerable Software and Affected Versions** GitLab EE versions 14.5 through 14.10.4 GitLab EE versions 15.0 through 15.0.3 GitLab EE versions 15.1 through 15.1.0 **Description** Insufficient sanitization in GitLab EE's external issue tracker allows an attacker to perform cross-site scripting when a victim clicks on a maliciously crafted ZenTao link. **Recommendations** For GitLab EE versions 14.5 through 14.10.4, update to version 14.10.5 or later. For GitLab EE versions 15.0 through 15.0.3, update to version 15.0.4 or later. For GitLab EE versions 15.1 through 15.1.0, update to version 15.1.1 or later.

**Name of the Vulnerable Software and Affected Versions** GitLab CE/EE versions 14.4 through 14.7.6 GitLab CE/EE versions 14.8 through 14.8.4 GitLab CE/EE versions 14.9 through 14.9.1 **Description** The issue is related to the lack of protection of the web page structure, allowing for remote attackers to conduct cross-site scripting attacks. Improper neutralization of user input enables attackers to inject HTML in notes, leading to potential exploitation. **Recommendations** For GitLab CE/EE versions 14.4 through 14.7.6, update to version 14.7.7 or later. For GitLab CE/EE versions 14.8 through 14.8.4, update to version 14.8.5 or later. For GitLab CE/EE versions 14.9 through 14.9.1, update to version 14.9.2 or later.

Name of the Vulnerable Software and Affected Versions: GitLab versions 13.0 through 14.0.8 GitLab versions 14.1 through 14.1.3 GitLab versions 14.2 through 14.2.1 Description: An issue has been discovered in GitLab where a user account with 'external' status, granted the 'Maintainer' role on any project, may elevate its privilege to 'Internal' and access Internal projects if 'project tokens' are allowed on the GitLab instance. Recommendations: For versions 13.0 through 14.0.8, update to version 14.0.9 or later. For versions 14.1 through 14.1.3, update to version 14.1.4 or later. For versions 14.2 through 14.2.1, update to version 14.2.2 or later.