cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score
CVE-2024-9539,https://securityvulnerability.io/vulnerability/CVE-2024-9539,GitHub Enterprise Server Vulnerability: Information Disclosure through Phishing,"An information disclosure vulnerability exists in GitHub Enterprise Server that allows an attacker to exploit uploaded asset URLs to retrieve user metadata. By leveraging malicious SVG files, the attacker can craft a convincing phishing scheme, which relies on a victim user clicking an asset URL that the attacker has uploaded. This vulnerability impacts all versions of GitHub Enterprise Server before 3.14 and was mitigated in subsequent patches. The issue was reported through the GitHub Bug Bounty program, highlighting the importance of prompt updates and secure coding practices.",Github,Github Enterprise Server,4.3,MEDIUM,0.0005200000014156103,false,,false,false,false,,,false,false,,2024-10-11T17:52:35.386Z,0
CVE-2024-6800,https://securityvulnerability.io/vulnerability/CVE-2024-6800,GitHub Enterprise Server XML Signature Wrapping Vulnerability,"The CVE-2024-6800 vulnerability in GitHub Enterprise Server is a critical XML signature wrapping vulnerability that allows attackers to bypass authentication requirements when using SAML single sign-on (SSO) authentication with specific identity providers. This could result in unauthorized access to user accounts with site administrator privileges. The vulnerability affects all versions of GitHub Enterprise Server prior to 3.14 and has been fixed in versions 3.13.3, 3.12.8, 3.11.14, and 3.10.16. While it has not been exploited in the wild, organizations are advised to update to the patched versions to mitigate the risk. This vulnerability does not have any known impacts from ransomware groups.",Github,Github Enterprise Server,9.8,CRITICAL,0.0006799999973736703,false,,true,false,false,,,false,false,,2024-08-20T20:15:00.000Z,0
CVE-2024-6337,https://securityvulnerability.io/vulnerability/CVE-2024-6337,Incorrect Authorization allows read access to issues in GitHub Enterprise Server,"An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed a GitHub App with only content: read and pull_request_write: write permissions to read issue content inside a private repository. This was only exploitable via user access token and installation access token was not impacted. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.13.3, 3.12.8, 3.11.14 and 3.10.16. This vulnerability was reported via the GitHub Bug Bounty program.",Github,Github Enterprise Server,6.5,MEDIUM,0.000590000010561198,false,,false,false,false,,,false,false,,2024-08-20T20:15:00.000Z,0
CVE-2024-5815,https://securityvulnerability.io/vulnerability/CVE-2024-5815,Cross Site Request Forgery was identified in GitHub Enterprise Server that allowed write in a user owned repository,"A Cross-Site Request Forgery vulnerability in GitHub Enterprise Server allowed write operations on a victim-owned repository by exploiting incorrect request types. A mitigating factor is that the attacker would have to be a trusted GitHub Enterprise Server user, and the victim would have to visit a tag in the attacker's fork of their own repository. vulnerability affected all versions of GitHub Enterprise Server prior 3.14 and was fixed in version 3.13.1, 3.12.6, 3.11.12, 3.10.14, and 3.9.17.


 This vulnerability was reported via the GitHub Bug Bounty program.",Github,Github Enterprise Server,6.5,MEDIUM,0.000539999979082495,false,,false,false,false,,,false,false,,2024-07-16T22:15:00.000Z,0
CVE-2024-6336,https://securityvulnerability.io/vulnerability/CVE-2024-6336,Security misconfiguration was identified in GitHub Enterprise Server that allowed sensitive data exposure,"A Security Misconfiguration vulnerability in GitHub Enterprise Server allowed sensitive information disclosure to unauthorized users in GitHub Enterprise Server by exploiting organization ruleset feature. This attack required an organization member to explicitly change the visibility of a dependent repository from private to public. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.13.1, 3.12.6, 3.11.12, 3.10.14, and 3.9.17. This vulnerability was reported via the GitHub Bug Bounty program.",Github,Github Enterprise Server,5.3,MEDIUM,0.0005200000014156103,false,,false,false,false,,,false,false,,2024-07-16T22:15:00.000Z,0
CVE-2024-5817,https://securityvulnerability.io/vulnerability/CVE-2024-5817,Improper authorization allows read access to issue content in GitHub Enterprise Server,"An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed read access to issue content via GitHub Projects. This was only exploitable in internal repositories and required the attacker to have access to the corresponding project board. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.13.1, 3.12.6, 3.11.12, 3.10.14, and 3.9.17. This vulnerability was reported via the GitHub Bug Bounty program.",Github,Github Enterprise Server,6.5,MEDIUM,0.000590000010561198,false,,false,false,false,,,false,false,,2024-07-16T22:15:00.000Z,0
CVE-2024-5816,https://securityvulnerability.io/vulnerability/CVE-2024-5816,Improper authorization allows persistent access in GitHub Enterprise Server,"An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed a suspended GitHub App to retain access to the repository via a scoped user access token. This was only exploitable in public repositories while private repositories were not impacted. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.9.17, 3.10.14, 3.11.12, 3.12.6, 3.13.1. This vulnerability was reported via the GitHub Bug Bounty program.",Github,Github Enterprise Server,5.3,MEDIUM,0.0005799999926239252,false,,false,false,false,,,false,false,,2024-07-16T22:15:00.000Z,0
CVE-2024-5746,https://securityvulnerability.io/vulnerability/CVE-2024-5746,Server-Side Request Forgery Vulnerability in GitHub Enterprise Server,"A significant Server-Side Request Forgery vulnerability was identified in the GitHub Enterprise Server, enabling attackers with Site Administrator privileges to execute arbitrary code on the affected server instance. This severe security flaw necessitates authenticated access through an account possessing Site Administrator status, exposing numerous GitHub Enterprise Server instances to potential exploitation. The issue affects all versions prior to 3.13, emphasizing the urgency for organizations to apply the latest patches provided in versions 3.12.5, 3.11.11, 3.10.13, and 3.9.16. This vulnerability was reported through the GitHub Bug Bounty program, reflecting the ongoing commitment to security within the GitHub ecosystem.",Github,Github Enterprise Server,7.6,HIGH,0.0006200000061653554,false,,false,false,false,,,false,false,,2024-06-20T22:15:00.000Z,0
CVE-2024-2443,https://securityvulnerability.io/vulnerability/CVE-2024-2443,Improper input validation vulnerability was identified in GitHub Enterprise Server that allowed privilege escalation in the Management Console,"A command injection vulnerability exists in GitHub Enterprise Server, which could potentially allow an attacker with an editor role in the Management Console to obtain unauthorized admin SSH access to the server. This risk arises when configuring GeoJSON settings, requiring an attacker to have access to the GitHub Enterprise Server instance and to the Management Console with the editor role. This vulnerability impacts all versions of GitHub Enterprise Server prior to 3.13, and the issue has been addressed in versions 3.8.17, 3.9.12, 3.10.9, 3.11.7, and 3.12.1. It was reported through the GitHub Bug Bounty program.",Github,Github Enterprise Server,9.1,CRITICAL,0.00044999999227002263,false,,false,false,false,,,false,false,,2024-03-20T23:15:00.000Z,0
CVE-2022-46257,https://securityvulnerability.io/vulnerability/CVE-2022-46257,Information disclosure in GitHub Enterprise Server leading to unauthorized viewing of private repository names,"An information disclosure vulnerability was identified in GitHub Enterprise Server that allowed private repositories to be added to a GitHub Actions runner group via the API by a user who did not have access to those repositories, resulting in the repository names being shown in the UI. To exploit this vulnerability, an attacker would need access to the GHES instance, permissions to modify GitHub Actions runner groups, and successfully guess the obfuscated ID of private repositories. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.7 and was fixed in versions 3.3.17, 3.4.12, 3.5.9, 3.6.5. This vulnerability was reported via the GitHub Bug Bounty program.",Github,Github Enterprise Server,4.3,MEDIUM,0.0012799999676644802,false,,false,false,false,,,false,false,,2023-03-07T00:00:00.000Z,0
CVE-2023-22380,https://securityvulnerability.io/vulnerability/CVE-2023-22380,Path traversal in GitHub Enterprise Server leading to arbitrary file reading when building a GitHub Pages site,"A path traversal vulnerability was identified in GitHub Enterprise Server that allowed arbitrary file reading when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server since 3.7 and was fixed in version 3.7.6. This vulnerability was reported via the GitHub Bug Bounty program.",GitHub,GitHub Enterprise Server,6.5,MEDIUM,0.0006500000017695129,false,,false,false,false,,,false,false,,2023-02-16T00:00:00.000Z,0
CVE-2022-23739,https://securityvulnerability.io/vulnerability/CVE-2022-23739,Incorrect authorization check in GitHub Enterprise Server leading to escalation of privileges in GraphQL API requests from GitHub Apps using scoped user-to-server tokens,"An incorrect authorization vulnerability was discovered in GitHub Enterprise Server that enables privilege escalation through GraphQL API requests made by GitHub Apps. This issue allows an installed app in an organization to access and alter various organization-level resources independently of the provided permissions. Notably, resources tied to repositories—like repository contents, specific projects, issues, and pull requests—remained unaffected. All versions prior to 3.7.1 are susceptible to this vulnerability, which has been addressed in versions 3.3.16, 3.4.11, 3.5.8, 3.6.4, and 3.7.1 as part of GitHub's commitment to security.",Github,Github Enterprise Server,9.8,CRITICAL,0.0027699999045580626,false,,false,false,false,,,false,false,,2023-01-17T00:00:00.000Z,0
CVE-2022-46258,https://securityvulnerability.io/vulnerability/CVE-2022-46258,Incorrect Authorization in GitHub Enterprise Server leads to Action Workflow modifications without Workflow Scope,"An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a repository-scoped token with read/write access to modify Action Workflow files without a Workflow scope. The Create or Update file contents API should enforce workflow scope. This vulnerability affected all versions of GitHub Enterprise Server prior to version 3.7 and was fixed in versions 3.3.16, 3.4.11, 3.5.8, and 3.6.4. This vulnerability was reported via the GitHub Bug Bounty program.",Github,Github Enterprise Server,6.5,MEDIUM,0.0014400000218302011,false,,false,false,false,,,false,false,,2023-01-09T00:00:00.000Z,0
CVE-2022-46256,https://securityvulnerability.io/vulnerability/CVE-2022-46256,Path traversal in GitHub Enterprise Server leading to remote code execution in GitHub Pages,"A path traversal vulnerability was identified in GitHub Enterprise Server that allowed remote code execution when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the instance. This vulnerability was fixed in versions 3.3.17, 3.4.12, 3.5.9, 3.6.5 and 3.7.2. This vulnerability was reported via the GitHub Bug Bounty program.",Github,Github Enterprise Server,8.8,HIGH,0.010470000095665455,false,,false,false,false,,,false,false,,2022-12-14T00:00:00.000Z,0
CVE-2022-23741,https://securityvulnerability.io/vulnerability/CVE-2022-23741,Incorrect authorization in GitHub Enterprise Server token generation leading to full admin access,"An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a scoped user-to-server token to escalate to full admin/owner privileges. An attacker would require an account with admin access to install a malicious GitHub App. This vulnerability was fixed in versions 3.3.17, 3.4.12, 3.5.9, and 3.6.5. This vulnerability was reported via the GitHub Bug Bounty program.",Github,Github Enterprise Server,7.2,HIGH,0.0024900001008063555,false,,false,false,false,,,false,false,,2022-12-14T00:00:00.000Z,0
CVE-2022-46255,https://securityvulnerability.io/vulnerability/CVE-2022-46255,Improper Limitation of a Pathname to a Restricted Directory in GitHub Enterprise Server leading to RCE,An improper limitation of a pathname to a restricted directory vulnerability was identified in GitHub Enterprise Server that enabled remote code execution. A check was added within Pages to ensure the working directory is clean before unpacking new content to prevent an arbitrary file overwrite bug. This vulnerability affected only version 3.7.0 of GitHub Enterprise Server and was fixed in version 3.7.1. This vulnerability was reported via the GitHub Bug Bounty program.,Github,Github Enterprise Server,9.8,CRITICAL,0.004920000210404396,false,,false,false,false,,,false,false,,2022-12-14T00:00:00.000Z,0
CVE-2022-23737,https://securityvulnerability.io/vulnerability/CVE-2022-23737,Improper Privilege Management in GitHub Enterprise Server leading to page creation and deletion,"An improper privilege management vulnerability was identified in GitHub Enterprise Server that allowed users with improper privileges to create or delete pages via the API. To exploit this vulnerability, an attacker would need to be added to an organization's repo with write permissions. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.7 and was fixed in versions 3.2.20, 3.3.15, 3.4.10, 3.5.7, and 3.6.3. This vulnerability was reported via the GitHub Bug Bounty program.",Github,Github Enterprise Server,6.5,MEDIUM,0.0011599999852478504,false,,false,false,false,,,false,false,,2022-12-01T00:00:00.000Z,0
CVE-2022-23740,https://securityvulnerability.io/vulnerability/CVE-2022-23740,Improper Neutralization of Argument Delimiters in a Command in GitHub Enterprise Server leading to Remote Code Execution,"CRITICAL: An improper neutralization of argument delimiters in a command vulnerability was identified in GitHub Enterprise Server that enabled remote code execution. To exploit this vulnerability, an attacker would need permission to create and build GitHub Pages using GitHub Actions. This vulnerability affected only version 3.7.0 of GitHub Enterprise Server and was fixed in version 3.7.1. This vulnerability was reported via the GitHub Bug Bounty program.",Github,Github Enterprise Server,8.8,HIGH,0.0032399999909102917,false,,false,false,false,,,false,false,,2022-11-23T00:00:00.000Z,0
CVE-2022-23738,https://securityvulnerability.io/vulnerability/CVE-2022-23738,Incomplete cache verification issue in GitHub Enterprise Server leading to exposure of private repo files,"An improper cache key vulnerability was identified in GitHub Enterprise Server that allowed an unauthorized actor to access private repository files through a public repository. To exploit this, an actor would need to already be authorized on the GitHub Enterprise Server instance, be able to create a public repository, and have a site administrator visit a specially crafted URL. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.6 and was fixed in versions 3.2.20, 3.3.15, 3.4.10, 3.5.7, 3.6.3. This vulnerability was reported via the GitHub Bug Bounty program.",Github,Github Enterprise Server,5.7,MEDIUM,0.001069999998435378,false,,false,false,false,,,false,false,,2022-11-01T00:00:00.000Z,0
CVE-2022-23734,https://securityvulnerability.io/vulnerability/CVE-2022-23734,Deserialization of Untrusted Data vulnerability in GitHub Enterprise Server leading to Remote Code Execution,"A deserialization of untrusted data vulnerability was identified in GitHub Enterprise Server that could potentially lead to remote code execution on the SVNBridge. To exploit this vulnerability, an attacker would need to gain access via a server-side request forgery (SSRF) that would let an attacker control the data being deserialized. This vulnerability affected all versions of GitHub Enterprise Server prior to v3.6 and was fixed in versions 3.5.3, 3.4.6, 3.3.11, and 3.2.16. This vulnerability was reported via the GitHub Bug Bounty program.",Github,Github Enterprise Server,8.8,HIGH,0.010400000028312206,false,,false,false,false,,,false,false,,2022-10-19T00:00:00.000Z,0
CVE-2022-23733,https://securityvulnerability.io/vulnerability/CVE-2022-23733,Stored XSS vulnerability in GitHub Enterprise Server leading to injection of arbitrary attributes,"A stored XSS vulnerability was identified in GitHub Enterprise Server that allowed the injection of arbitrary attributes. This injection was blocked by Github's Content Security Policy (CSP). This vulnerability affected all versions of GitHub Enterprise Server prior to 3.6 and was fixed in versions 3.3.11, 3.4.6 and 3.5.3. This vulnerability was reported via the GitHub Bug Bounty program.",Github,Github Enterprise Server,5.4,MEDIUM,0.0006799999973736703,false,,false,false,false,,,false,false,,2022-08-02T16:05:14.000Z,0
CVE-2022-23732,https://securityvulnerability.io/vulnerability/CVE-2022-23732,Path traversal in GitHub Enterprise Server management console leading to a bypass of CSRF protections,"A path traversal vulnerability was identified in GitHub Enterprise Server management console that allowed the bypass of CSRF protections. This could potentially lead to privilege escalation. To exploit this vulnerability, an attacker would need to target a user that was actively logged into the management console. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.5 and was fixed in versions 3.1.19, 3.2.11, 3.3.6, 3.4.1. This vulnerability was reported via the GitHub Bug Bounty program.",Github,Github Enterprise Server,8.8,HIGH,0.0037799999117851257,false,,false,false,false,,,false,false,,2022-04-05T00:10:11.000Z,0
CVE-2021-41599,https://securityvulnerability.io/vulnerability/CVE-2021-41599,Improper control flow in GitHub Enterprise Server hosted Pages leads to remote code execution,"A remote code execution vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.3 and was fixed in versions 3.0.21, 3.1.13, 3.2.5. This vulnerability was reported via the GitHub Bug Bounty program.",Github,Github Enterprise Server,8.8,HIGH,0.009809999726712704,false,,false,false,false,,,false,false,,2022-02-18T00:15:00.000Z,0
CVE-2021-41598,https://securityvulnerability.io/vulnerability/CVE-2021-41598,UI misrepresentation of granted permissions in GitHub Enterprise Server leading to unauthorized access to user,"A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed more permissions to be granted during a GitHub App's user-authorization web flow than was displayed to the user during approval. To exploit this vulnerability, an attacker would need to create a GitHub App on the instance and have a user authorize the application through the web authentication flow. All permissions being granted would properly be shown during the first authorization, but if the user later updated the set of repositories the app was installed on after the GitHub App had configured additional user-level permissions, those additional permissions would not be displayed, leading to more permissions being granted than the user potentially intended. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.3 and was fixed in versions 3.2.5, 3.1.13, 3.0.21. This vulnerability was reported via the GitHub Bug Bounty program.",Github,Github Enterprise Server,8.8,HIGH,0.0031399999279528856,false,,false,false,false,,,false,false,,2022-01-25T19:45:12.000Z,0
CVE-2021-22870,https://securityvulnerability.io/vulnerability/CVE-2021-22870,Path traversal in GitHub Enterprise Server hosted Pages leads to unauthorized file read access,"A path traversal vulnerability was identified in GitHub Pages builds on GitHub Enterprise Server that could allow an attacker to read system files. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.3 and was fixed in versions 3.0.19, 3.1.11, and 3.2.3. This vulnerability was reported via the GitHub Bug Bounty program.",Github,Github Enterprise Server,6.5,MEDIUM,0.0014799999771639705,false,,false,false,false,,,false,false,,2021-11-10T01:55:11.000Z,0