CVE-2020-10076: 
GitLab vulnerability analysis and mitigation

GitLab versions 12.1 through 12.8.1 were affected by a stored cross-site scripting (XSS) vulnerability that was discovered when displaying merge requests. The vulnerability was identified and disclosed on March 4, 2020, and was assigned the identifier CVE-2020-10076. This security issue affected both GitLab Community Edition (CE) and Enterprise Edition (EE) installations (GitLab Release).

The vulnerability was classified as a stored cross-site scripting (XSS) issue with a CVSS v3.1 Base Score of 6.1 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The CVSS v2.0 Base Score was 4.3 (Medium) with vector string (AV:N/AC:M/Au:N/C:N/I:P/A:N) (NVD).

The vulnerability could allow attackers to execute malicious scripts in the context of other users' browsers when they view affected merge requests. This could potentially lead to unauthorized access to user data, session hijacking, or other client-side attacks (GitLab Release).

The vulnerability was patched in GitLab version 12.8.2. GitLab strongly recommended that all installations running affected versions be upgraded to the latest version as soon as possible to mitigate this security risk (GitLab Release).