CVE-2024-1084

CVSS V2 None CVSS V3 None

Description

Cross-site Scripting in the tag name pattern field in the tag protections UI in GitHub Enterprise Server allows a malicious website that requires user interaction and social engineering to make changes to a user account via CSP bypass with created CSRF tokens. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in all versions of 3.11.5, 3.10.7, 3.9.10, and 3.8.15. This vulnerability was reported via the GitHub Bug Bounty program.

Overview

CVE ID
CVE-2024-1084

Assigner
GitHub_P

Vulnerability Status
PUBLISHED

Published Version
2024-02-13T18:44:05.830Z

Last Modified Date
2024-06-04T18:00:12.161Z

Weakness Enumerations

CWE	URL
CWE-79	http://cwe.mitre.org/data/definitions/79.html

References

Reference URL	Reference Tags
https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.15
https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.10
https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.7
https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.5

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-1084
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1084

History

Created	Old Value	New Value	Data Type	Notes
2024-06-26 06:05:23				Added to TrackCVE