FreeBSD: VID-1bdd4db6-2223-11ec-91be-001b217b3468 (CVE-2021-39874): Gitlab -- vulnerabilities

Gitlab reports: Stored XSS in merge request creation page Denial-of-service attack in Markdown parser Stored Cross-Site Scripting vulnerability in the GitLab Flavored Markdown DNS Rebinding vulnerability in Gitea importer Exposure of trigger tokens on project exports Improper access control for users with expired password Access tokens are not cleared after impersonation Reflected Cross-Site Scripting in Jira Integration DNS Rebinding vulnerability in Fogbugz importer Access tokens persist after project deletion User enumeration vulnerability Potential DOS via API requests Pending invitations of public groups and public projects are visible to any user Bypass Disabled Repo by URL Project Creation Low privileged users can see names of the private groups shared in projects API discloses sensitive info to low privileged users Epic listing do not honour group memberships Insecure Direct Object Reference vulnerability may lead to protected branch names getting disclosed Low privileged users can import users from projects that they they are not a maintainer on Potential DOS via dependencies API Create a project with unlimited repository size through malicious Project Import Bypass disabled Bitbucket Server import source project creation Requirement to enforce 2FA is not honored when using git commands Content spoofing vulnerability Improper session management in impersonation feature Create OAuth application with arbitrary scopes through content spoofing Lack of account lockout on change password functionality Epic reference was not updated while moved between groups Missing authentication allows disabling of two-factor authentication Information disclosure in SendEntry