Cross-site Scripting Vulnerability in Tag Name Pattern Field Affects GitHub Enterprise Server

CVE-2024-1084

6.1MEDIUM

Key Information

Vendor: GitHub
Status: Enterprise Server
Vendor: CVE Published:; 13 February 2024

Summary

Cross-site Scripting in the tag name pattern field in the tag protections UI in GitHub Enterprise Server allows a malicious website that requires user interaction and social engineering to make changes to a user account via CSP bypass with created CSRF tokens. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in all versions of 3.11.5, 3.10.7, 3.9.10, and 3.8.15. This vulnerability was reported via the GitHub Bug Bounty program.

Affected Version(s)

Enterprise Server <= 3.8.14

Enterprise Server <= 3.9.9

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published.
Feb 13, 2024
Vulnerability Reserved.
Jan 30, 2024

Collectors

NVD DatabaseMitre Database

Credit

Johan Carlsson (https://twitter.com/joaxcar)

Roshan Kudave (https://twitter.com/ROSHANKUDAVE3)

Sudhanshu Rajbhar (https://twitter.com/sudhanshur705)