GitHub Enterprise Server Reflected HTML Injection Vulnerability Allowing Credential Theft

A reflected HTML injection vulnerability has been identified in the GitHub Enterprise Server Management Console login page. This vulnerability affects versions 3.19.1 through 3.19.5 and 3.20.0 through 3.20.1. The issue arises because the redirect_to query parameter on the /setup/unlock endpoint is reflected into an HTML attribute without proper sanitization. This flaw enables an attacker to inject a form element that could capture administrator credentials. Exploitation requires an administrator to click a crafted link and enter their credentials.

Impact

Successful exploitation allows for the injection of malicious HTML into the login page, which can capture credentials entered by administrators.

Reproduction

To reproduce this vulnerability, an attacker must craft a link that includes a malicious payload in the redirect_to query parameter. This link should be sent to an administrator, who must click it and enter their credentials on the login page. The injected form element will then capture the entered credentials.

Remediation

Users can upgrade to GitHub Enterprise Server versions 3.19.6 or 3.20.2, both of which include the necessary fix.