CVE-2024-1084

Name of the Vulnerable Software and Affected Versions GitHub Enterprise Server versions prior to 3.12 GitHub Enterprise Server versions 3.11.5, 3.10.7, 3.9.10, and 3.8.15 are not affected as they contain the fix.

Description The issue is related to Cross-site Scripting in the tag name pattern field in the tag protections UI. This allows a malicious website, requiring user interaction and social engineering, to make changes to a user account via CSP bypass with created CSRF tokens. The vulnerability was reported via the GitHub Bug Bounty program.

Recommendations For GitHub Enterprise Server versions prior to 3.12, update to version 3.11.5, 3.10.7, 3.9.10, or 3.8.15 to resolve the issue. As a temporary workaround, consider restricting access to the tag protections UI to minimize the risk of exploitation.