Cross-site Scripting Vulnerability in Tag Name Pattern Field Affects GitHub Enterprise Server
CVE-2024-1084

6.1MEDIUM

Key Information:

Vendor: GitHub
Status: Enterprise Server
Vendor: CVE Published:; 13 February 2024

What is CVE-2024-1084?

Cross-site Scripting in the tag name pattern field in the tag protections UI in GitHub Enterprise Server allows a malicious website that requires user interaction and social engineering to make changes to a user account via CSP bypass with created CSRF tokens. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in all versions of 3.11.5, 3.10.7, 3.9.10, and 3.8.15. This vulnerability was reported via the GitHub Bug Bounty program.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Enterprise Server 3.8 <= 3.8.14

Enterprise Server 3.9 <= 3.9.9

References

https://docs.github.com/en/enterprise-server@3.8/admin/re...

https://docs.github.com/en/enterprise-server@3.9/admin/re...

https://docs.github.com/en/enterprise-server@3.10/admin/r...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Feb 13, 2024
Vulnerability Reserved
Jan 30, 2024

Credit

Johan Carlsson (https://twitter.com/joaxcar)

Roshan Kudave (https://twitter.com/ROSHANKUDAVE3)

Sudhanshu Rajbhar (https://twitter.com/sudhanshur705)

JSON

GitHub