The host is installed with GitLab CE/EE 7.14 before 15.11.10, 16.0 before 16.0.6 or 16.1 before 16.1.1 and is prone to a cross site scripting vulnerability. A flaw is present in the application, which fails to properly handle unspecified vectors. Successful exploitation could allow remote attackers to inject HTML in an email address field.
The host is installed with GitLab CE/EE 13.10 before 15.11.10, 16.0 before 16.0.6 or 16.1 before 16.1.1 and is prone to an authorization bypass through user-controlled key. A flaw is present in the application, which fails to properly handle unspecified vectors. Successful exploitation could allow users to view new commits to private projects in a fork created while the project was public.