CVE-2023-26493

Name of the Vulnerable Software and Affected Versions Cocos Engine (affected versions not specified)

Description The issue concerns a command injection vulnerability in the web-interface-check.yml file of the Cocos Engine GitHub repository. This file was triggered by pull requests and contained a user-controllable field github.head ref, which is the name of the fork's branch. An attacker could exploit this to take over the GitHub Runner, run custom commands, and potentially steal secrets like GITHUB TOKEN, as well as alter the repository. The vulnerable workflow has been removed from the repository.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.