GitHub Enterprise Server DOM Injection Vulnerability Allowing Unauthorized Backend Interactions

A vulnerability exists in GitHub Enterprise Server prior to versions 3.18.3, 3.17.9, 3.16.12, 3.15.16, and 3.14.21, allowing improper neutralization of input. This issue enables user-supplied HTML to inject DOM elements that interfere with server-initialized data islands. Such interference can overwrite or obscure critical application state objects in certain Project views, potentially leading to unauthorized server-side POST requests or other backend interactions. Exploitation requires access to the affected GitHub Enterprise Server instance and the ability to entice a privileged user to view the crafted content.

Impact

Exploitation of this vulnerability could result in unauthorized backend interactions, such as unintended server-side POST requests, potentially leading to further exploitation or data manipulation.

Remediation

Users can upgrade to GitHub Enterprise Server versions 3.18.3, 3.17.9, 3.16.12, 3.15.16, or 3.14.21. For instructions on upgrading, see the GitHub Enterprise Server upgrade guide.