The host is installed with GitLab EE 11.10 prior to 14.9.5, 14.10 prior to 14.10.4, or 15.0 prior to 15.0.1 and is prone to an account take over vulnerability. A flaw is present in the application, which fails to handle unknown vectors. Successful exploitation allows any owner of a Premium group to invite arbitrary users through their username and email, then change those users email addresses via SCIM to an attacker controlled email address and thus - in the absence of 2FA - take over those accounts.