CVE-2023-28430

Name of the Vulnerable Software and Affected Versions OneSignal (affected versions not specified)

Description The issue concerns a workflow triggered by closed issues, utilizing a GitHub repository token with full write permissions. This allows an attacker to potentially take over the GitHub Runner, run custom commands, steal secrets, or alter the repository. The vulnerability was discovered using CodeQL and involves javascript's Expression injection in Actions query.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.