Sudhanshu Rajbhar

**Name of the Vulnerable Software and Affected Versions** GitHub Enterprise Server versions prior to 3.12 GitHub Enterprise Server versions 3.11.5, 3.10.7, 3.9.10, and 3.8.15 are not affected as they contain the fix. **Description** The issue is related to Cross-site Scripting in the tag name pattern field in the tag protections UI. This allows a malicious website, requiring user interaction and social engineering, to make changes to a user account via CSP bypass with created CSRF tokens. The vulnerability was reported via the GitHub Bug Bounty program. **Recommendations** For GitHub Enterprise Server versions prior to 3.12, update to version 3.11.5, 3.10.7, 3.9.10, or 3.8.15 to resolve the issue. As a temporary workaround, consider restricting access to the tag protections UI to minimize the risk of exploitation.