Gitpod vulnerable to Cross-site Scripting

Gitpod before 2022.11.3 allows XSS because redirection can occur for some protocols outside of the trusted set of three vscode: vscode-insiders: jetbrains-gateway:...

GHSA-VRXP-MG9F-HWF3 Improperly Implemented path matching for in-toto-golang

Impact Authenticated attackers posing as functionaries i.e., within a trusted set of users for a layout are able to create attestations that may bypass DISALLOW rules in the same layout. An attacker with access to trusted private keys, may issue an attestation that contains a disallowed artifact ...