6.5
CVE-2024-1084
- EPSS 0.1%
- Published 13.02.2024 19:15:09
- Last modified 21.11.2024 08:49:45
- Source product-cna@github.com
- CVE-Watchlists
- Open
LoginCross-site Scripting in the tag name pattern field in the tag protections UI in GitHub Enterprise Server allows a malicious website that requires user interaction and social engineering to make changes to a user account via CSP bypass with created CSRF tokens. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in all versions of 3.11.5, 3.10.7, 3.9.10, and 3.8.15. This vulnerability was reported via the GitHub Bug Bounty program.
Data is provided by the National Vulnerability Database (NVD)
Github ≫ Enterprise Server Version < 3.8.15
Github ≫ Enterprise Server Version >= 3.9.0 < 3.9.10
Github ≫ Enterprise Server Version >= 3.10.0 < 3.10.7
Github ≫ Enterprise Server Version >= 3.11.0 < 3.11.5
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.1% | 0.274 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 6.1 | 2.8 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
| product-cna@github.com | 6.5 | 2.3 | 3.7 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.