cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score
CVE-2024-10001,https://securityvulnerability.io/vulnerability/CVE-2024-10001,Code Injection Vulnerability in GitHub Enterprise Server,"A code injection vulnerability has been identified in GitHub Enterprise Server that permits attackers to inject malicious code through the identity property in message handling. This flaw can lead to the exfiltration of sensitive data, including authentication tokens, by manipulating the Document Object Model (DOM). To launch the attack, victims must be logged into GitHub and interact with a specially crafted webpage controlled by attackers, containing a hidden iframe. The vulnerability arises from improper validation sequences, where the origin check is conducted after accepting the user-controlled identity property. Affected versions include all GitHub Enterprise Server instances prior to the specified releases, prompting users to update to safer versions.",Github,Enterprise Server,7.1,HIGH,0.00044999999227002263,false,,false,false,false,,false,false,false,,2025-01-29T18:24:58.816Z,0
CVE-2025-24362,https://securityvulnerability.io/vulnerability/CVE-2025-24362,Debug Artifacts Vulnerability in GitHub CodeQL Action,"A vulnerability exists in GitHub's CodeQL Action where debug artifacts may inadvertently expose environment variables, including sensitive secrets such as the GITHUB_TOKEN. This token grants extensive access to repositories, and under certain conditions—specifically with Java/Kotlin scanning workflows and debug mode enabled—these secrets can be accessed by users who have read access to the repository. This issue arises during failed workflow runs occurring in specific GitHub environments. It is recommended to upgrade to CodeQL Action version 3.28.3 or later, or CodeQL CLI version 2.20.3 or later to mitigate the risk of secret leakage.",Github,Codeql-action,7.1,HIGH,0.0004400000034365803,false,,false,false,false,,false,false,false,,2025-01-24T18:04:45.674Z,0
CVE-2024-52308,https://securityvulnerability.io/vulnerability/CVE-2024-52308,GitHub CLI vulnerable to Remote Code Execution through Malicious SSH Server,"A remote code execution vulnerability has been identified in GitHub CLI versions 2.6.1 and earlier, potentially allowing attackers to execute arbitrary code on users' machines. This vulnerability manifests when developers connect to remote codespaces via an SSH server that may contain malicious code. Specifically, an attacker can exploit this flaw through modified SSH connection details, compromising commands like `gh codespace ssh` or `gh codespace logs`. By injecting malicious parameters into the remote username, it is possible for the SSH client to unwittingly execute harmful commands. The vulnerability has been mitigated in GitHub CLI version 2.62.0, which now incorporates input validation for the remote username to prevent exploitation.",GitHub,Cli,9.6,CRITICAL,0.0012799999676644802,false,,false,false,false,,,false,false,,2024-11-14T23:15:00.000Z,0
CVE-2024-9487,https://securityvulnerability.io/vulnerability/CVE-2024-9487,Unauthorized Provisioning of Users and Access via SAML SSO Authentication Vulnerability,"A vulnerability was detected that allowed improper verification of cryptographic signatures within GitHub Enterprise Server. This caused potential bypass of SAML SSO authentication, enabling unauthorized provisioning of users and unwarranted access to the instance. The exploitation of this vulnerability required the attacker to have direct network access, coupled with a signed SAML response or metadata document. It is critical to note that this issue affects all versions prior to 3.15 and has been addressed in versions 3.11.16, 3.12.10, 3.13.5, and 3.14.2.",Github,Enterprise Server,9.1,CRITICAL,0.008320000022649765,false,,false,false,false,,,true,false,,2024-10-10T22:15:00.000Z,4657
CVE-2024-6800,https://securityvulnerability.io/vulnerability/CVE-2024-6800,GitHub Enterprise Server XML Signature Wrapping Vulnerability,"The CVE-2024-6800 vulnerability in GitHub Enterprise Server is a critical XML signature wrapping vulnerability that allows attackers to bypass authentication requirements when using SAML single sign-on (SSO) authentication with specific identity providers. This could result in unauthorized access to user accounts with site administrator privileges. The vulnerability affects all versions of GitHub Enterprise Server prior to 3.14 and has been fixed in versions 3.13.3, 3.12.8, 3.11.14, and 3.10.16. While it has not been exploited in the wild, organizations are advised to update to the patched versions to mitigate the risk. This vulnerability does not have any known impacts from ransomware groups.",Github,Github Enterprise Server,9.8,CRITICAL,0.0006799999973736703,false,,true,false,false,,,false,false,,2024-08-20T20:15:00.000Z,0
CVE-2024-5746,https://securityvulnerability.io/vulnerability/CVE-2024-5746,Server-Side Request Forgery Vulnerability in GitHub Enterprise Server,"A significant Server-Side Request Forgery vulnerability was identified in the GitHub Enterprise Server, enabling attackers with Site Administrator privileges to execute arbitrary code on the affected server instance. This severe security flaw necessitates authenticated access through an account possessing Site Administrator status, exposing numerous GitHub Enterprise Server instances to potential exploitation. The issue affects all versions prior to 3.13, emphasizing the urgency for organizations to apply the latest patches provided in versions 3.12.5, 3.11.11, 3.10.13, and 3.9.16. This vulnerability was reported through the GitHub Bug Bounty program, reflecting the ongoing commitment to security within the GitHub ecosystem.",Github,Github Enterprise Server,7.6,HIGH,0.0006200000061653554,false,,false,false,false,,,false,false,,2024-06-20T22:15:00.000Z,0
CVE-2024-3646,https://securityvulnerability.io/vulnerability/CVE-2024-3646,Command injection vulnerability was identified in GitHub Enterprise Server that allowed privilege escalation in the Management Console,"A command injection vulnerability was discovered in GitHub Enterprise Server, which positions an attacker with editor privileges in the Management Console to obtain unauthorized admin SSH access. This critical flaw arises during the chat integration configuration process, enabling exploitation if the attacker can access the GitHub Enterprise Server instance with proper permissions. The vulnerability impacts all versions prior to 3.12 and was addressed in subsequent updates, namely versions 3.12.2, 3.11.8, 3.10.10, and 3.9.13. Effective measures include upgrading to the latest versions to mitigate risks associated with unauthorized access.",Github,Enterprise Server,8,HIGH,0.00044999999227002263,false,,false,false,false,,,false,false,,2024-04-19T15:15:00.000Z,0
CVE-2024-2443,https://securityvulnerability.io/vulnerability/CVE-2024-2443,Improper input validation vulnerability was identified in GitHub Enterprise Server that allowed privilege escalation in the Management Console,"A command injection vulnerability exists in GitHub Enterprise Server, which could potentially allow an attacker with an editor role in the Management Console to obtain unauthorized admin SSH access to the server. This risk arises when configuring GeoJSON settings, requiring an attacker to have access to the GitHub Enterprise Server instance and to the Management Console with the editor role. This vulnerability impacts all versions of GitHub Enterprise Server prior to 3.13, and the issue has been addressed in versions 3.8.17, 3.9.12, 3.10.9, 3.11.7, and 3.12.1. It was reported through the GitHub Bug Bounty program.",Github,Github Enterprise Server,9.1,CRITICAL,0.00044999999227002263,false,,false,false,false,,,false,false,,2024-03-20T23:15:00.000Z,0
CVE-2024-2469,https://securityvulnerability.io/vulnerability/CVE-2024-2469,Remote Code Execution Vulnerability Affects GitHub Enterprise Server,"A vulnerability exists within GitHub Enterprise Server that allows attackers with Administrator privileges to execute arbitrary code remotely, leading to potential SSH root access. This serious security flaw affects versions 3.8.0 and above of GitHub Enterprise Server. It was reported through the GitHub Bug Bounty program and has been addressed in the following patched versions: 3.8.17, 3.9.12, 3.10.9, 3.11.7, and 3.12.1. Organizations using affected versions are strongly encouraged to update to secure their environments against this exploitation vector.",Github,Enterprise Server,8,HIGH,0.00044999999227002263,false,,false,false,false,,,false,false,,2024-03-20T22:56:03.451Z,0
CVE-2024-1378,https://securityvulnerability.io/vulnerability/CVE-2024-1378,Command Injection Vulnerability in GitHub Enterprise Server Could Lead to Admin SSH Access,"A command injection vulnerability exists within GitHub Enterprise Server, specifically affecting users with editor roles in the Management Console. This vulnerability allows an attacker to manipulate nomad templates during the configuration of SMTP options, ultimately leading to unauthorized admin SSH access to the appliance. It is critical for users to upgrade to the fixed versions to safeguard against this exploit, which applies to all versions of GitHub Enterprise Server prior to 3.12. The vulnerability was acknowledged through the GitHub Bug Bounty program.",Github,Enterprise Server,9.1,CRITICAL,0.0007999999797903001,false,,false,false,false,,,false,false,,2024-02-13T18:54:29.943Z,0
CVE-2024-1374,https://securityvulnerability.io/vulnerability/CVE-2024-1374,Command Injection Vulnerability in GitHub Enterprise Server Could Lead to Admin SSH Access,"A command injection vulnerability exists in GitHub Enterprise Server that permits an attacker with an editor role within the Management Console to acquire administrative SSH access to the system. This may occur through the manipulation of nomad templates while setting up audit log forwarding. Successful exploitation demands that the attacker has access to the specific GitHub Enterprise Server instance as well as editor privileges in the Management Console. The vulnerability affects all versions of GitHub Enterprise Server prior to 3.12 and has been addressed in updates 3.11.5, 3.10.7, 3.9.10, and 3.8.15. Further details are documented in the GitHub Bug Bounty program.",Github,Enterprise Server,9.1,CRITICAL,0.0007999999797903001,false,,false,false,false,,,false,false,,2024-02-13T18:54:18.668Z,0
CVE-2024-1372,https://securityvulnerability.io/vulnerability/CVE-2024-1372,Command Injection Vulnerability in GitHub Enterprise Server Could Lead to Admin SSH Access,"A command injection vulnerability has been identified in GitHub Enterprise Server, allowing threats to escalate access privileges. Attackers with an editor role in the Management Console can exploit this vulnerability during SAML configuration to gain unauthorized admin SSH access to the appliance. To exploit this weakness, an attacker must have access to the GitHub Enterprise Server instance with editor permissions. The flaw affects all versions of GitHub Enterprise Server prior to 3.12 and has been remediated in releases 3.11.5, 3.10.7, 3.9.10, and 3.8.15, underscoring the importance of timely updates to mitigate such risks.",Github,Enterprise Server,9.1,CRITICAL,0.0007399999885819852,false,,false,false,false,,,false,false,,2024-02-13T18:54:03.413Z,0
CVE-2024-1369,https://securityvulnerability.io/vulnerability/CVE-2024-1369,Command Injection Vulnerability in GitHub Enterprise Server Could Lead to Admin SSH Access,"A command injection vulnerability was identified in GitHub Enterprise Server, allowing attackers with editor roles in the Management Console to execute malicious commands that could result in unauthorized admin SSH access to the appliance. This exploitation was contingent on the attacker having access to the GitHub Enterprise Server instance and the necessary permissions within the Management Console. The vulnerability impacts all versions of GitHub Enterprise Server prior to version 3.12. This issue has been remediated in versions 3.11.5, 3.10.7, 3.9.10, and 3.8.15. It was reported through the GitHub Bug Bounty program, demonstrating the importance of community-sourced security vigilance.",Github,Enterprise Server,9.1,CRITICAL,0.0007399999885819852,false,,false,false,false,,,false,false,,2024-02-13T18:53:29.406Z,0
CVE-2024-1359,https://securityvulnerability.io/vulnerability/CVE-2024-1359,Command Injection Vulnerability in GitHub Enterprise Server Could Lead to Admin SSH Access,"A command injection vulnerability in GitHub Enterprise Server has been identified, enabling an attacker with editor role permissions in the Management Console to execute malicious commands. This vulnerability arises specifically during the configuration of an HTTP proxy, potentially allowing unauthorized SSH access to the appliance. It is imperative for organizations leveraging GitHub Enterprise Server versions prior to 3.12 to apply updates, specifically versions 3.11.5, 3.10.7, 3.9.10, and 3.8.15, which address this security flaw.",Github,Enterprise Server,9.1,CRITICAL,0.0007399999885819852,false,,false,false,false,,,false,false,,2024-02-13T18:52:27.176Z,0
CVE-2024-1355,https://securityvulnerability.io/vulnerability/CVE-2024-1355,GitHub Enterprise Server Command Injection Vulnerability,"A command injection vulnerability has been identified in GitHub Enterprise Server that poses significant security risks. Attackers with an editor role in the Management Console can exploit this flaw to gain unauthorized admin SSH access to the appliance via the actions-console docker container while setting a service URL. This vulnerability requires access to the GitHub Enterprise Server instance as well as permission within the Management Console. All versions of GitHub Enterprise Server prior to 3.12 are affected, with security patches provided in versions 3.11.5, 3.10.7, 3.9.10, and 3.8.15. The vulnerability was reported through the GitHub Bug Bounty program.",Github,Enterprise Server,9.1,CRITICAL,0.0007399999885819852,false,,false,false,false,,,false,false,,2024-02-13T18:51:14.254Z,0
CVE-2024-1354,https://securityvulnerability.io/vulnerability/CVE-2024-1354,GitHub Enterprise Server Command Injection Vulnerability,"A vulnerability was identified in GitHub Enterprise Server that allows an attacker with an editor role in the Management Console to execute command injection through the manipulation of the `syslog-ng` configuration file. This exploitation enables unauthorized admin SSH access to the appliance. To exploit this vulnerability, the attacker must have access to the GitHub Enterprise Server instance and hold an editor's role within the Management Console. All versions of GitHub Enterprise Server prior to 3.12 are impacted. The issue has been resolved in the following versions: 3.11.5, 3.10.7, 3.9.10, and 3.8.15. Reporting and mitigation efforts were conducted via the GitHub Bug Bounty program.",Github,Enterprise Server,8,HIGH,0.0010499999625608325,false,,false,false,false,,,false,false,,2024-02-13T18:50:44.852Z,0
CVE-2024-0200,https://securityvulnerability.io/vulnerability/CVE-2024-0200,Unsafe Reflection Vulnerability in GitHub Enterprise Server Could Lead to Remote Code Execution,"An unsafe reflection vulnerability was identified in GitHub Enterprise Server that could lead to reflection injection, execution of user-controlled methods, and remote code execution. The vulnerability required an actor to be logged into an account on the GHES instance with the organization owner role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.8.13, 3.9.8, 3.10.5, and 3.11.3. GitHub took proactive measures by rotating sensitive keys to combat the high-severity vulnerability, which had a 7.2 Common Vulnerability Scoring System (CVSS) score. There were no clear indications of the vulnerability being exploited in the wild at the time of the security measure implementations. Additionally, GitHub also resolved another high-severity bug that might allow privilege escalation through command injection. These incidents highlight the importance of continuous vigilance and readiness in software security across the tech industry.",GitHub,Enterprise Server,7.2,HIGH,0.1842299997806549,false,,true,false,false,,,false,false,,2024-01-16T18:50:48.931Z,0
CVE-2023-46648,https://securityvulnerability.io/vulnerability/CVE-2023-46648,Insufficient Entropy in GitHub Enterprise Server Management Console Invitation Token,"A security vulnerability was found in GitHub Enterprise Server that allows attackers to brute-force a pending user invitation to the Management Console. To exploit this vulnerability, an attacker must be aware of the existence of an invitation. This affects all versions of GitHub Enterprise Server from 3.8 to prior versions of 3.8.12, 3.9.7, 3.10.4, and 3.11.1, where security patches have been implemented.",GitHub,Enterprise Server,8.3,HIGH,0.0022299999836832285,false,,false,false,false,,,false,false,,2023-12-21T21:15:00.000Z,0
CVE-2023-6847,https://securityvulnerability.io/vulnerability/CVE-2023-6847,Improper Authentication in GitHub Enterprise Server leading to Authentication Bypass for Public Repository Data,"An improper authentication vulnerability was found in GitHub Enterprise Server, which permits the bypass of Private Mode through a specially crafted API request. This vulnerability is particularly concerning as it necessitates only network access to the Enterprise Server appliance set to Private Mode. It affects all versions from 3.9 and has been addressed in updates 3.9.7, 3.10.4, and 3.11.1. The issue was reported via the GitHub Bug Bounty program, emphasizing the importance of community engagement in cybersecurity.",GitHub,Enterprise Server,7.5,HIGH,0.0007099999929778278,false,,false,false,false,,,false,false,,2023-12-21T21:15:00.000Z,0
CVE-2023-46647,https://securityvulnerability.io/vulnerability/CVE-2023-46647,"Improper Privilege Management in GitHub Enterprise Server management console leads to privilege escalation ","An issue exists in all versions of GitHub Enterprise Server that permits users with an editor role in the management console to escalate their privileges. This is achieved by sending requests to an endpoint responsible for the initial bootstrapping of the instance. Notably, the vulnerability affects all versions from 3.8.0 and above, and it has been remediated in version 3.8.12, 3.9.6, 3.10.3, and 3.11.0.",GitHub,Enterprise Server,8,HIGH,0.0014400000218302011,false,,false,false,false,,,false,false,,2023-12-21T21:15:00.000Z,0
CVE-2023-6802,https://securityvulnerability.io/vulnerability/CVE-2023-6802,"Sensitive Information in Log File in GitHub Enterprise Server ","A vulnerability in GitHub Enterprise Server allows for the unintentional logging of sensitive information, potentially giving unauthorized access to the management console. This security risk can manifest if an attacker gains access to the log files or backup archives from the appliance, or through services that receive streamed logs. All versions of GitHub Enterprise Server from 3.8 are affected and should be updated to versions 3.8.12, 3.9.7, 3.10.4, or 3.11.1 to mitigate this risk.",Github,Enterprise Server,7.2,HIGH,0.0011099999537691474,false,,false,false,false,,,false,false,,2023-12-21T21:15:00.000Z,0
CVE-2023-26485,https://securityvulnerability.io/vulnerability/CVE-2023-26485,Quadratic complexity may lead to a denial of service in cmark-gfm,"A polynomial time complexity vulnerability in cmark-gfm, GitHub's fork of the cmark library, can result in unbounded resource exhaustion and denial of service. The issue arises during the parsing of text that contains a large number of underscore characters, leading to quadratic increases in processing time. Affected users are urged to upgrade to version 0.29.0.gfm.10 to mitigate this risk, and those who cannot upgrade should ensure their input sources are trusted.",github,cmark-gfm,7.5,HIGH,0.0009399999980814755,false,,false,false,false,,,false,false,,2023-03-31T23:15:00.000Z,0
CVE-2023-24824,https://securityvulnerability.io/vulnerability/CVE-2023-24824,Quadratic complexity may lead to a denial of service in cmark-gfm,"The cmark-gfm library, a variant of the C CommonMark parsing and rendering tool, contains a vulnerability that can result in unbounded resource exhaustion. This occurs when processing inputs with a high density of specific characters, such as consecutive `>` or `-`, leading to potential denial of service. To mitigate risks, users should upgrade to version 0.29.0.gfm.10 or later. If upgrading is not feasible, it is crucial to ensure that input data is sourced from trusted entities to avoid exploitation.",github,cmark-gfm,7.5,HIGH,0.0009399999980814755,false,,false,false,false,,,false,false,,2023-03-31T23:15:00.000Z,0
CVE-2023-23760,https://securityvulnerability.io/vulnerability/CVE-2023-23760,Path traversal in GitHub Enterprise Server leading to remote code execution,"A path traversal vulnerability in GitHub Enterprise Server allows attackers to exploit the platform when creating and building GitHub Pages sites. If an attacker has the necessary permissions to create a GitHub Pages site, they can leverage this vulnerability to execute remote code. All versions prior to 3.8 are impacted, with corrective measures implemented in versions 3.7.7, 3.6.10, 3.5.14, and 3.4.17. This vulnerability was reported through the GitHub Bug Bounty program, emphasizing the importance of consistent security assessments.",GitHub,Enterprise Server,8.8,HIGH,0.005909999832510948,false,,false,false,false,,,false,false,,2023-03-08T19:15:00.000Z,0
CVE-2023-22381,https://securityvulnerability.io/vulnerability/CVE-2023-22381,Code injection in GitHub Enterprise Server leading to arbitrary environment variables in GitHub Actions,"A code injection vulnerability allows an attacker with permission to control the environment variable values in GitHub Actions to potentially set arbitrary environment variables. This can lead to unauthorized actions or data leaks depending on the environment set up during CI/CD processes. All versions of GitHub Enterprise Server prior to 3.8.0 are affected, with fixes implemented in versions 3.4.15, 3.5.12, 3.6.8, and 3.7.5. This vulnerability was reported through the GitHub Bug Bounty program, emphasizing the importance of maintaining updated software to prevent exploitation.",GitHub,Enterprise Server,8.8,HIGH,0.00139999995008111,false,,false,false,false,,,false,false,,2023-03-02T21:15:00.000Z,0