Gitlab -- Multiple Vulnerabilities

Gitlab reports:

Stored XSS via ipynb files
Pipeline schedules on imported projects can be set to automatically active after import
Potential Denial of service via Workhorse
Improper Access Control allows Merge Request creator to bypass locked status
Projects API discloses ID and name of private groups
Severity of an incident can be changed by a guest user
System root password accidentally written to log file
Potential DoS via a malformed TIFF image
Bypass of CODEOWNERS Merge Request approval requirement
Change project visibility to a restricted option
Project exports leak external webhook token value
SCIM token is visible after creation
Invited group members, with access inherited from parent group, continue to have project access even after invited subgroup is transfered
Regular expression denial of service issue when cleaning namespace path
Prevent creation of scopeless apps using applications API
Webhook data exposes assignee’s private email address