CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0CVE-2022-24722 – Cross-site Scripting in view_component
https://notcve.org/view.php?id=CVE-2022-24722
02 Mar 2022 — VIewComponent is a framework for building view components in Ruby on Rails. Versions prior to 2.31.2 and 2.49.1 contain a cross-site scripting vulnerability that has the potential to impact anyone using translations with the view_component gem. Data received via user input and passed as an interpolation argument to the `translate` method is not properly sanitized before display. Versions 2.31.2 and 2.49.1 have been released and fully mitigate the vulnerability. As a workaround, avoid passing user input to t... • https://github.com/github/view_component/commit/3f82a6e62578ff6f361aba24a1feb2caccf83ff9 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 2%CPEs: 3EXPL: 0CVE-2021-41599 – Improper control flow in GitHub Enterprise Server hosted Pages leads to remote code execution
https://notcve.org/view.php?id=CVE-2021-41599
17 Feb 2022 — A remote code execution vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.3 and was fixed in versions 3.0.21, 3.1.13, 3.2.5. This vulnerability was reported via the GitHub Bug Bounty program. Se ha identificado una vuln... • https://docs.github.com/en/enterprise-server%403.0/admin/release-notes#3.0.21 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-21687 – Command injection in gh-ost
https://notcve.org/view.php?id=CVE-2022-21687
01 Feb 2022 — gh-ost is a triggerless online schema migration solution for MySQL. Versions prior to 1.1.3 are subject to an arbitrary file read vulnerability. The attacker must have access to the target host or trick an administrator into executing a malicious gh-ost command on a host running gh-ost, plus network access from host running gh-ost to the attack's malicious MySQL server. The `-database` parameter does not properly sanitize user input which can lead to arbitrary file reads. gh-ost es una solución de migración... • https://github.com/github/gh-ost/commit/a91ab042de013cfd8fbb633763438932d9080d8f • CWE-20: Improper Input Validation •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2021-41598 – UI misrepresentation of granted permissions in GitHub Enterprise Server leading to unauthorized access to user
https://notcve.org/view.php?id=CVE-2021-41598
25 Jan 2022 — A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed more permissions to be granted during a GitHub App's user-authorization web flow than was displayed to the user during approval. To exploit this vulnerability, an attacker would need to create a GitHub App on the instance and have a user authorize the application through the web authentication flow. All permissions being granted would properly be shown during the first authorization, but if the user later updated th... • https://docs.github.com/en/enterprise-server%403.0/admin/release-notes#3.0.21 • CWE-451: User Interface (UI) Misrepresentation of Critical Information •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-23986
https://notcve.org/view.php?id=CVE-2020-23986
05 Jan 2022 — Github Read Me Stats commit 3c7220e4f7144f6cb068fd433c774f6db47ccb95 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the function renderError. Se ha detectado que el commit 3c7220e4f7144f6cb068fd433c774f6db47ccb95 de Github Read Me Stats contenía una vulnerabilidad de tipo cross-site scripting (XSS) reflejada por medio de la función renderError. • https://github.com/anuraghazra/github-readme-stats/pull/255 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 4%CPEs: 1EXPL: 1CVE-2021-44684
https://notcve.org/view.php?id=CVE-2021-44684
06 Dec 2021 — naholyr github-todos 3.1.0 is vulnerable to command injection. The range argument for the _hook subcommand is concatenated without any validation, and is directly used by the exec function. naholyr github-todos versión 3.1.0, es vulnerable a una inyección de comandos. El argumento de rango para el subcomando _hook es concatenado sin ninguna comprobación, y es usado directamente por la función exec • https://github.com/dwisiswant0/advisory/issues/5 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-22870 – Path traversal in GitHub Enterprise Server hosted Pages leads to unauthorized file read access
https://notcve.org/view.php?id=CVE-2021-22870
10 Nov 2021 — A path traversal vulnerability was identified in GitHub Pages builds on GitHub Enterprise Server that could allow an attacker to read system files. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.3 and was fixed in versions 3.0.19, 3.1.11, and 3.2.3. This vulnerability was reported via the GitHub Bug Bounty program. Se ha identific... • https://docs.github.com/en/enterprise-server%403.0/admin/release-notes#3.0.19 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-23: Relative Path Traversal •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2021-22868 – Unsafe configuration options in GitHub Pages leading to path traversal on GitHub Enterprise Server
https://notcve.org/view.php?id=CVE-2021-22868
24 Sep 2021 — A path traversal vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site. User-controlled configuration options used by GitHub Pages were not sufficiently restricted and made it possible to read files on the GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise S... • https://docs.github.com/en/enterprise-server%402.22/admin/release-notes#2.22.22 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2021-22869 – Improper access control in GitHub Enterprise Server allows self-hosted runners to execute outside their control group
https://notcve.org/view.php?id=CVE-2021-22869
24 Sep 2021 — An improper access control vulnerability in GitHub Enterprise Server allowed a workflow job to execute in a self-hosted runner group it should not have had access to. This affects customers using self-hosted runner groups for access control. A repository with access to one enterprise runner group could access all of the enterprise runner groups within the organization because of improper authentication checks during the request. This could cause code to be run unintentionally by the incorrect runner group. ... • https://docs.github.com/en/enterprise-server%403.0/admin/release-notes#3.0.16 • CWE-287: Improper Authentication CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-22867 – Unsafe configuration options in GitHub Pages leading to path traversal on GitHub Enterprise Server
https://notcve.org/view.php?id=CVE-2021-22867
14 Jul 2021 — A path traversal vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site. User-controlled configuration options used by GitHub Pages were not sufficiently restricted and made it possible to read files on the GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise S... • https://docs.github.com/en/enterprise-server%402.22/admin/release-notes#2.22.17 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •