cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score
CVE-2024-10001,https://securityvulnerability.io/vulnerability/CVE-2024-10001,Code Injection Vulnerability in GitHub Enterprise Server,"A code injection vulnerability has been identified in GitHub Enterprise Server that permits attackers to inject malicious code through the identity property in message handling. This flaw can lead to the exfiltration of sensitive data, including authentication tokens, by manipulating the Document Object Model (DOM). To launch the attack, victims must be logged into GitHub and interact with a specially crafted webpage controlled by attackers, containing a hidden iframe. The vulnerability arises from improper validation sequences, where the origin check is conducted after accepting the user-controlled identity property. Affected versions include all GitHub Enterprise Server instances prior to the specified releases, prompting users to update to safer versions.",Github,Enterprise Server,7.1,HIGH,0.00044999999227002263,false,,false,false,false,,false,false,false,,2025-01-29T18:24:58.816Z,0
CVE-2025-24362,https://securityvulnerability.io/vulnerability/CVE-2025-24362,Debug Artifacts Vulnerability in GitHub CodeQL Action,"A vulnerability exists in GitHub's CodeQL Action where debug artifacts may inadvertently expose environment variables, including sensitive secrets such as the GITHUB_TOKEN. This token grants extensive access to repositories, and under certain conditions—specifically with Java/Kotlin scanning workflows and debug mode enabled—these secrets can be accessed by users who have read access to the repository. This issue arises during failed workflow runs occurring in specific GitHub environments. It is recommended to upgrade to CodeQL Action version 3.28.3 or later, or CodeQL CLI version 2.20.3 or later to mitigate the risk of secret leakage.",Github,Codeql-action,7.1,HIGH,0.0004400000034365803,false,,false,false,false,,false,false,false,,2025-01-24T18:04:45.674Z,0
CVE-2025-23369,https://securityvulnerability.io/vulnerability/CVE-2025-23369,Cryptographic Signature Spoofing Vulnerability in GitHub Enterprise Server,"An improper verification of cryptographic signature vulnerability was discovered in GitHub Enterprise Server, which permits unauthorized internal users to spoof signatures. This flaw affects all versions prior to 3.12.14, 3.13.10, 3.14.7, 3.15.2, and 3.16.0, notably impacting instances not employing SAML single sign-on. The report highlights the managing risk associated with internal threats and emphasizes the importance of updating affected systems to mitigate potential exploitation.",Github,Enterprise Server,6.1,MEDIUM,0.00044999999227002263,false,,false,false,false,,false,false,false,,2025-01-21T18:46:30.711Z,0
CVE-2024-50338,https://securityvulnerability.io/vulnerability/CVE-2024-50338,"Newline Handling Issue in Git Credential Manager for Windows, macOS, and Linux","The Git Credential Manager (GCM), which facilitates secure authentication for Git operations, has an input validation issue due to differing newline interpretations between GCM and Git. This flaw allows attackers to craft malicious URLs that can exploit the credential handling mechanism when users interact with compromised repositories. Users need to remain vigilant, especially when cloning repositories with submodules using the '--recursive' option, increasing the risk of credential exposure.",GitHub,,,,0.0004400000034365803,false,,false,false,false,,false,false,false,,2025-01-14T19:15:00.000Z,0
CVE-2024-54132,https://securityvulnerability.io/vulnerability/CVE-2024-54132,Security Vulnerability in GitHub CLI Could Allow File Tampering,"The GitHub CLI is GitHub’s official command line tool. A security vulnerability has been identified in GitHub CLI that could create or overwrite files in unintended directories when users download a malicious GitHub Actions workflow artifact through gh run download. This vulnerability stems from a GitHub Actions workflow artifact named .. when downloaded using gh run download. The artifact name and --dir flag are used to determine the artifact’s download path. When the artifact is named .., the resulting files within the artifact are extracted exactly 1 directory higher than the specified --dir flag value. This vulnerability is fixed in 2.63.1.",GitHub,,,,0.0004400000034365803,false,,false,false,false,,,false,false,,2024-12-04T16:15:00.000Z,0
CVE-2024-53858,https://securityvulnerability.io/vulnerability/CVE-2024-53858,"{""GitHub CLI Vulnerability Leaks Authentication Tokens"",""Auth Token Leak in GitHub CLI"",""GitHub CLI Flaws Expose Tokens"",""Security Flaw in GitHub CLI Allows Token Leakage"",""GitHub CLI Authentication Token Vulnerability""}","The gh cli is GitHub’s official command line tool. A security vulnerability has been identified in the GitHub CLI that could leak authentication tokens when cloning repositories containing `git` submodules hosted outside of GitHub.com and ghe.com. This vulnerability stems from several `gh` commands used to clone a repository with submodules from a non-GitHub host including `gh repo clone`, `gh repo fork`, and `gh pr checkout`. These GitHub CLI commands invoke git with instructions to retrieve authentication tokens using the `credential.helper` configuration variable for any host encountered. Prior to version `2.63.0`, hosts other than GitHub.com and ghe.com are treated as GitHub Enterprise Server hosts and have tokens sourced from the following environment variables before falling back to host-specific tokens stored within system-specific secured storage: 1. `GITHUB_ENTERPRISE_TOKEN`, 2. `GH_ENTERPRISE_TOKEN` and 3. `GITHUB_TOKEN` when the `CODESPACES` environment variable is set. The result being `git` sending authentication tokens when cloning submodules. In version `2.63.0`, these GitHub CLI commands will limit the hosts for which `gh` acts as a credential helper to source authentication tokens. Additionally, `GITHUB_TOKEN` will only be used for GitHub.com and ghe.com. Users are advised to upgrade. Additionally users are advised to revoke authentication tokens used with the GitHub CLI and to review their personal security log and any relevant audit logs for actions associated with their account or enterprise",GitHub,,,,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-11-27T22:15:00.000Z,0
CVE-2024-52308,https://securityvulnerability.io/vulnerability/CVE-2024-52308,GitHub CLI vulnerable to Remote Code Execution through Malicious SSH Server,"A remote code execution vulnerability has been identified in GitHub CLI versions 2.6.1 and earlier, potentially allowing attackers to execute arbitrary code on users' machines. This vulnerability manifests when developers connect to remote codespaces via an SSH server that may contain malicious code. Specifically, an attacker can exploit this flaw through modified SSH connection details, compromising commands like `gh codespace ssh` or `gh codespace logs`. By injecting malicious parameters into the remote username, it is possible for the SSH client to unwittingly execute harmful commands. The vulnerability has been mitigated in GitHub CLI version 2.62.0, which now incorporates input validation for the remote username to prevent exploitation.",GitHub,Cli,9.6,CRITICAL,0.0012799999676644802,false,,false,false,false,,,false,false,,2024-11-14T23:15:00.000Z,0
CVE-2024-8810,https://securityvulnerability.io/vulnerability/CVE-2024-8810,Privilege Management vulnerability was identified in GitHub Enterprise Server that allowed GitHub Apps to grant themselves write access,"A significant vulnerability exists within GitHub Enterprise Server that permits a GitHub App to gain elevated permissions from read to write without the explicit consent of the organization administrator. This risk is particularly serious as it requires only an account with administrator access to install a malicious App, which could compromise organizational security and data integrity. All versions preceding 3.14 are susceptible to this vulnerability, which was addressed in the releases 3.14.1, 3.13.4, 3.12.9, 3.11.15, and 3.10.17.",Github,Enterprise Server,,,0.00044999999227002263,false,,false,false,false,,,false,false,,2024-11-07T22:15:00.000Z,0
CVE-2024-10824,https://securityvulnerability.io/vulnerability/CVE-2024-10824,Internal Access to Sensitive Data via Personal Access Tokens,An authorization bypass vulnerability was identified in GitHub Enterprise Server that allowed unauthorized internal users to access sensitive secret scanning alert data intended only for business owners. This issue could be exploited only by organization members with a personal access token (PAT) and required that secret scanning be enabled on user-owned repositories. This vulnerability affected GitHub Enterprise Server versions after 3.13.0 but prior to 3.14.0 and was fixed in version 3.13.2.,Github,Enterprise Server,,,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-11-07T21:15:11.200Z,0
CVE-2024-10007,https://securityvulnerability.io/vulnerability/CVE-2024-10007,GitHub Enterprise Server Path Collision Vulnerability,"A vulnerability exists in GitHub Enterprise Server that could allow for a path collision and arbitrary code execution, potentially enabling an attacker with Enterprise Administrator access to escape container restrictions and escalate privileges to root. This issue impacts all versions of GitHub Enterprise Server prior to 3.15, but it has been addressed in fixed versions 3.14.3, 3.13.6, 3.12.11, and 3.11.17. The vulnerability was initially reported through the proactive GitHub Bug Bounty program, emphasizing the importance of ongoing vulnerability management in software development and deployment.",Github,Enterprise Server,,,0.00044999999227002263,false,,false,false,false,,,false,false,,2024-11-07T20:58:17.777Z,0
CVE-2024-9539,https://securityvulnerability.io/vulnerability/CVE-2024-9539,GitHub Enterprise Server Vulnerability: Information Disclosure through Phishing,"An information disclosure vulnerability exists in GitHub Enterprise Server that allows an attacker to exploit uploaded asset URLs to retrieve user metadata. By leveraging malicious SVG files, the attacker can craft a convincing phishing scheme, which relies on a victim user clicking an asset URL that the attacker has uploaded. This vulnerability impacts all versions of GitHub Enterprise Server before 3.14 and was mitigated in subsequent patches. The issue was reported through the GitHub Bug Bounty program, highlighting the importance of prompt updates and secure coding practices.",Github,Github Enterprise Server,4.3,MEDIUM,0.0005200000014156103,false,,false,false,false,,,false,false,,2024-10-11T17:52:35.386Z,0
CVE-2024-9487,https://securityvulnerability.io/vulnerability/CVE-2024-9487,Unauthorized Provisioning of Users and Access via SAML SSO Authentication Vulnerability,"A vulnerability was detected that allowed improper verification of cryptographic signatures within GitHub Enterprise Server. This caused potential bypass of SAML SSO authentication, enabling unauthorized provisioning of users and unwarranted access to the instance. The exploitation of this vulnerability required the attacker to have direct network access, coupled with a signed SAML response or metadata document. It is critical to note that this issue affects all versions prior to 3.15 and has been addressed in versions 3.11.16, 3.12.10, 3.13.5, and 3.14.2.",Github,Enterprise Server,9.1,CRITICAL,0.008320000022649765,false,,false,false,false,,,true,false,,2024-10-10T22:15:00.000Z,4657
CVE-2024-8770,https://securityvulnerability.io/vulnerability/CVE-2024-8770,XSS Vulnerability in GitHub Enterprise Server Requires Immediate Action,"A Cross-Site Scripting (XSS) vulnerability was identified in the repository transfer feature of GitHub Enterprise Server, which allows attackers to steal sensitive user information via social engineering. This vulnerability affected all versions of GitHub Enterprise Server and was fixed in version 3.10.17, 3.11.15, 3.12.9, 3.13.4, and 3.14.1. This vulnerability was reported via the GitHub Bug Bounty program.",GitHub,Enterprise Server,6.1,MEDIUM,0.0005200000014156103,false,,false,false,false,,,false,false,,2024-09-23T21:15:00.000Z,0
CVE-2024-8263,https://securityvulnerability.io/vulnerability/CVE-2024-8263,Nested Tag Vulnerability Affects All Versions of GitHub Enterprise Server,"An improper privilege management vulnerability allowed arbitrary workflows to be committed using an improperly scoped PAT through the use of nested tags. This vulnerability affected all versions of GitHub Enterprise Server and was fixed in version 3.10.17, 3.11.15, 3.12.9, 3.13.4, and 3.14.1. This vulnerability was reported via the GitHub Bug Bounty program.",GitHub,Enterprise Server,2.7,LOW,0.000590000010561198,false,,false,false,false,,,false,false,,2024-09-23T21:15:00.000Z,0
CVE-2024-6800,https://securityvulnerability.io/vulnerability/CVE-2024-6800,GitHub Enterprise Server XML Signature Wrapping Vulnerability,"The CVE-2024-6800 vulnerability in GitHub Enterprise Server is a critical XML signature wrapping vulnerability that allows attackers to bypass authentication requirements when using SAML single sign-on (SSO) authentication with specific identity providers. This could result in unauthorized access to user accounts with site administrator privileges. The vulnerability affects all versions of GitHub Enterprise Server prior to 3.14 and has been fixed in versions 3.13.3, 3.12.8, 3.11.14, and 3.10.16. While it has not been exploited in the wild, organizations are advised to update to the patched versions to mitigate the risk. This vulnerability does not have any known impacts from ransomware groups.",Github,Github Enterprise Server,9.8,CRITICAL,0.0006799999973736703,false,,true,false,false,,,false,false,,2024-08-20T20:15:00.000Z,0
CVE-2024-6337,https://securityvulnerability.io/vulnerability/CVE-2024-6337,Incorrect Authorization allows read access to issues in GitHub Enterprise Server,"An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed a GitHub App with only content: read and pull_request_write: write permissions to read issue content inside a private repository. This was only exploitable via user access token and installation access token was not impacted. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.13.3, 3.12.8, 3.11.14 and 3.10.16. This vulnerability was reported via the GitHub Bug Bounty program.",Github,Github Enterprise Server,6.5,MEDIUM,0.000590000010561198,false,,false,false,false,,,false,false,,2024-08-20T20:15:00.000Z,0
CVE-2024-7711,https://securityvulnerability.io/vulnerability/CVE-2024-7711,Incorrect Authorization Vulnerability in GitHub Enterprise Server,"An Incorrect Authorization vulnerability has been discovered in GitHub Enterprise Server, which allows attackers to modify issue titles, assignees, and labels within any public repository. This loophole was limited to public repositories and poses significant risks if exploited. The vulnerability impacts GitHub Enterprise Server versions prior to 3.14, with remediation provided in versions 3.13.3, 3.12.8, and 3.11.14. Notably, version 3.10 is not affected by this vulnerability. The issue was identified through the GitHub Bug Bounty program, highlighting the importance of prompt security assessments.",Github,Enterprise Server,4.3,MEDIUM,0.0005300000193528831,false,,false,false,false,,,false,false,,2024-08-20T20:15:00.000Z,0
CVE-2024-6336,https://securityvulnerability.io/vulnerability/CVE-2024-6336,Security misconfiguration was identified in GitHub Enterprise Server that allowed sensitive data exposure,"A Security Misconfiguration vulnerability in GitHub Enterprise Server allowed sensitive information disclosure to unauthorized users in GitHub Enterprise Server by exploiting organization ruleset feature. This attack required an organization member to explicitly change the visibility of a dependent repository from private to public. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.13.1, 3.12.6, 3.11.12, 3.10.14, and 3.9.17. This vulnerability was reported via the GitHub Bug Bounty program.",Github,Github Enterprise Server,5.3,MEDIUM,0.0005200000014156103,false,,false,false,false,,,false,false,,2024-07-16T22:15:00.000Z,0
CVE-2024-6395,https://securityvulnerability.io/vulnerability/CVE-2024-6395,Sensitive Information Exposure in GitHub Enterprise Server,"A vulnerability in GitHub Enterprise Server allows attackers to enumerate private repository names that use deploy keys, exposing sensitive information without granting unauthorized access to any repository content. This issue affects all versions prior to 3.14 and was mitigated in several fixed versions including 3.13.1, 3.12.6, 3.11.12, 3.10.14, and 3.9.17. The vulnerability was reported through the GitHub Bug Bounty program, underscoring the importance of security diligence in enterprise environments.",Github,Enterprise Server,5.3,MEDIUM,0.0005200000014156103,false,,false,false,false,,,false,false,,2024-07-16T22:15:00.000Z,0
CVE-2024-5815,https://securityvulnerability.io/vulnerability/CVE-2024-5815,Cross Site Request Forgery was identified in GitHub Enterprise Server that allowed write in a user owned repository,"A Cross-Site Request Forgery vulnerability in GitHub Enterprise Server allowed write operations on a victim-owned repository by exploiting incorrect request types. A mitigating factor is that the attacker would have to be a trusted GitHub Enterprise Server user, and the victim would have to visit a tag in the attacker's fork of their own repository. vulnerability affected all versions of GitHub Enterprise Server prior 3.14 and was fixed in version 3.13.1, 3.12.6, 3.11.12, 3.10.14, and 3.9.17.


 This vulnerability was reported via the GitHub Bug Bounty program.",Github,Github Enterprise Server,6.5,MEDIUM,0.000539999979082495,false,,false,false,false,,,false,false,,2024-07-16T22:15:00.000Z,0
CVE-2024-5795,https://securityvulnerability.io/vulnerability/CVE-2024-5795,Denial of Service Vulnerability in GitHub Enterprise Server,"A Denial of Service vulnerability in GitHub Enterprise Server allowed attackers to exploit the server by sending a large payload, resulting in unbounded resource exhaustion. This vulnerability impacted all versions prior to 3.14, necessitating updates to versions 3.13.1, 3.12.6, 3.11.12, 3.10.14, and 3.9.17 to mitigate potential threats. The vulnerability was responsibly disclosed through the GitHub Bug Bounty program, highlighting the importance of regular updates and security assessments.",Github,Enterprise Server,6.5,MEDIUM,0.0005600000149570405,false,,false,false,false,,,false,false,,2024-07-16T22:15:00.000Z,0
CVE-2024-5816,https://securityvulnerability.io/vulnerability/CVE-2024-5816,Improper authorization allows persistent access in GitHub Enterprise Server,"An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed a suspended GitHub App to retain access to the repository via a scoped user access token. This was only exploitable in public repositories while private repositories were not impacted. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.9.17, 3.10.14, 3.11.12, 3.12.6, 3.13.1. This vulnerability was reported via the GitHub Bug Bounty program.",Github,Github Enterprise Server,5.3,MEDIUM,0.0005799999926239252,false,,false,false,false,,,false,false,,2024-07-16T22:15:00.000Z,0
CVE-2024-5817,https://securityvulnerability.io/vulnerability/CVE-2024-5817,Improper authorization allows read access to issue content in GitHub Enterprise Server,"An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed read access to issue content via GitHub Projects. This was only exploitable in internal repositories and required the attacker to have access to the corresponding project board. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.13.1, 3.12.6, 3.11.12, 3.10.14, and 3.9.17. This vulnerability was reported via the GitHub Bug Bounty program.",Github,Github Enterprise Server,6.5,MEDIUM,0.000590000010561198,false,,false,false,false,,,false,false,,2024-07-16T22:15:00.000Z,0
CVE-2024-5566,https://securityvulnerability.io/vulnerability/CVE-2024-5566,Improper Privilege Management in GitHub Enterprise Server,"A vulnerability in GitHub Enterprise Server allows users to migrate private repositories without the necessary permissions, due to inadequate management of access tokens. This issue affects all versions prior to 3.14 and raises concerns over the security of repository data. Remediation was implemented in versions 3.13.1, 3.12.6, 3.11.12, 3.10.14, and 3.9.17 to prevent unauthorized access.",Github,Enterprise Server,6.5,MEDIUM,0.000590000010561198,false,,false,false,false,,,false,false,,2024-07-16T22:15:00.000Z,0
CVE-2024-6433,https://securityvulnerability.io/vulnerability/CVE-2024-6433,Database Path Traversal Vulnerability Discovered in Stationai/devika GitHub Repository,"The application zips all the files in the folder specified by the user, which allows an attacker to read arbitrary files on the system by providing a crafted path. This vulnerability can be exploited by sending a request to the application with a malicious snapshot_path parameter.",GitHub,,,,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-07-10T01:15:00.000Z,0