CVE-2024-10001

CVE-2024-10001 is a code injection vulnerability (CWE-94) in GitHub Enterprise Server, stemming from an improper validation sequence in the message handling function. Attackers can inject malicious code into the query selector via the user-controlled identity property, as the origin check occurs after acceptance of this property. This flaw affects all versions of GitHub Enterprise Server prior to 3.11.16, 3.12.10, 3.13.5, 3.14.2, and 3.15.0, with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N).

The attack requires a victim who is authenticated to GitHub Enterprise Server to interact with an attacker-controlled malicious webpage containing a hidden iframe. No special privileges are needed for the attacker, who can operate over the network with low complexity. Successful exploitation enables DOM manipulation to exfiltrate sensitive data, including authentication tokens.

Mitigation involves upgrading to GitHub Enterprise Server versions 3.11.16 or later (for the 3.11 series), 3.12.10 or later (3.12 series), 3.13.5 or later (3.13 series), 3.14.2 or later (3.14 series), or 3.15.0 or later, as detailed in the corresponding release notes. The vulnerability was reported through the GitHub Bug Bounty program, with no public details on real-world exploitation.