CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-1084
https://notcve.org/view.php?id=CVE-2024-1084
13 Feb 2024 — Cross-site Scripting in the tag name pattern field in the tag protections UI in GitHub Enterprise Server allows a malicious website that requires user interaction and social engineering to make changes to a user account via CSP bypass with created CSRF tokens. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in all versions of 3.11.5, 3.10.7, 3.9.10, and 3.8.15. This vulnerability was reported via the GitHub Bug Bounty program. Cross-Site Scripting en el campo... • https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 44%CPEs: 4EXPL: 1CVE-2024-0507 – Privilege Escalation by Code Injection in the Management Console in GitHub Enterprise Server
https://notcve.org/view.php?id=CVE-2024-0507
16 Jan 2024 — An attacker with access to a Management Console user account with the editor role could escalate privileges through a command injection vulnerability in the Management Console. This vulnerability affected all versions of GitHub Enterprise Server and was fixed in versions 3.11.3, 3.10.5, 3.9.8, and 3.8.13 This vulnerability was reported via the GitHub Bug Bounty program. Un atacante con acceso a una cuenta de usuario de Management Console con función de editor podría escalar privilegios a través de una vulne... • https://github.com/convisolabs/CVE-2024-0507_CVE-2024-0200-github • CWE-20: Improper Input Validation CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 10.0EPSS: 48%CPEs: 4EXPL: 0CVE-2024-0200 – Unsafe Reflection in Github Enterprise Server leading to Command Injection
https://notcve.org/view.php?id=CVE-2024-0200
16 Jan 2024 — An unsafe reflection vulnerability was identified in GitHub Enterprise Server that could lead to reflection injection. This vulnerability could lead to the execution of user-controlled methods and remote code execution. To exploit this bug, an actor would need to be logged into an account on the GHES instance with the organization owner role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.8.13, 3.9.8, 3.10.5, and 3.11.3. This vulnerability was ... • https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.5 • CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-6847 – Improper Authentication in GitHub Enterprise Server leading to Authentication Bypass for Public Repository Data
https://notcve.org/view.php?id=CVE-2023-6847
21 Dec 2023 — An improper authentication vulnerability was identified in GitHub Enterprise Server that allowed a bypass of Private Mode by using a specially crafted API request. To exploit this vulnerability, an attacker would need network access to the Enterprise Server appliance configured in Private Mode. This vulnerability affected all versions of GitHub Enterprise Server since 3.9 and was fixed in version 3.9.7, 3.10.4, and 3.11.1. This vulnerability was reported via the GitHub Bug Bounty program. Se identificó una ... • https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4 • CWE-287: Improper Authentication •
CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0CVE-2023-51380 – Incorrect Authorization allows Read Access to Issue Comments in GitHub Enterprise Server
https://notcve.org/view.php?id=CVE-2023-51380
21 Dec 2023 — An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed issue comments to be read with an improperly scoped token. This vulnerability affected all versions of GitHub Enterprise Server since 3.7 and was fixed in version 3.7.19, 3.8.12, 3.9.7, 3.10.4, and 3.11.1. Se identificó una vulnerabilidad de autorización incorrecta en GitHub Enterprise Server que permitía leer los comentarios del problema con un token con un alcance incorrecto. Esta vulnerabilidad afectó a todas... • https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4 • CWE-863: Incorrect Authorization •
CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 0CVE-2023-51379 – Incorrect Authorization for Issue Comments in GitHub Enterprise Server
https://notcve.org/view.php?id=CVE-2023-51379
21 Dec 2023 — An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed issue comments to be updated with an improperly scoped token. This vulnerability did not allow unauthorized access to any repository content as it also required contents:write and issues:read permissions. This vulnerability affected all versions of GitHub Enterprise Server since 3.7 and was fixed in version 3.17.19, 3.8.12, 3.9.7, 3.10.4, and 3.11.1. Se identificó una vulnerabilidad de autorización incorrecta en... • https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4 • CWE-863: Incorrect Authorization •
CVSS: 8.3EPSS: 0%CPEs: 4EXPL: 0CVE-2023-46648 – Insufficient Entropy in GitHub Enterprise Server Management Console Invitation Token
https://notcve.org/view.php?id=CVE-2023-46648
21 Dec 2023 — An insufficient entropy vulnerability was identified in GitHub Enterprise Server (GHES) that allowed an attacker to brute force a user invitation to the GHES Management Console. To exploit this vulnerability, an attacker would need knowledge that a user invitation was pending. This vulnerability affected all versions of GitHub Enterprise Server since 3.8 and was fixed in version 3.8.12, 3.9.7, 3.10.4, and 3.11.1. This vulnerability was reported via the GitHub Bug Bounty program. Se identificó una vulnerabil... • https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4 • CWE-331: Insufficient Entropy •
CVSS: 7.0EPSS: 0%CPEs: 5EXPL: 0CVE-2023-46649 – Race Condition allows Administrative Access on Organization Repositories
https://notcve.org/view.php?id=CVE-2023-46649
21 Dec 2023 — A race condition in GitHub Enterprise Server was identified that could allow an attacker administrator access. To exploit this, an organization needs to be converted from a user. This vulnerability affected all versions of GitHub Enterprise Server since 3.7 and was fixed in version 3.7.19, 3.8.12, 3.9.7, 3.10.4, and 3.11.1. Se identificó una condición de ejecución en GitHub Enterprise Server que podría permitir el acceso de administrador a un atacante. Para aprovechar esto, una organización debe ser convert... • https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4 • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2023-6804 – Improper Privilege Management allows for arbitrary workflows to be run
https://notcve.org/view.php?id=CVE-2023-6804
21 Dec 2023 — Improper privilege management allowed arbitrary workflows to be committed and run using an improperly scoped PAT. To exploit this, a workflow must have already existed in the target repo. This vulnerability affected all versions of GitHub Enterprise Server since 3.8 and was fixed in version 3.8.12, 3.9.7, 3.10.4, and 3.11.1. La gestión inadecuada de privilegios permitió que se confirmaran y ejecutaran workflows arbitrarios utilizando una PAT con un alcance inadecuado. Para aprovechar esto, ya debe haber exi... • https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4 • CWE-269: Improper Privilege Management •
CVSS: 5.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-6803 – Race Condition allows Unauthorized Outside Collaborator
https://notcve.org/view.php?id=CVE-2023-6803
21 Dec 2023 — A race condition in GitHub Enterprise Server allows an outside collaborator to be added while a repository is being transferred. This vulnerability affected all versions of GitHub Enterprise Server since 3.8 and was fixed in version 3.8.12, 3.9.7, 3.10.4, and 3.11.1. Una condición de ejecución en GitHub Enterprise Server permite agregar un colaborador externo mientras se transfiere un repositorio. Esta vulnerabilidad afectó a todas las versiones de GitHub Enterprise Server desde la 3.8 y se solucionó en las... • https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4 • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •