GitLab: Attacker can post notes on private MR, snippets, and issues

Vulnerability details By sending a specially crafted request to the GitLab API, an attacker can post notes on merge requests, snippets, and issues it doesn't have access to. This could execute additional note hooks that were configured by the project administrator. Proof of concept As a victim,...