InfoSecBulletin Cybersecurity for mankind
GitHub has released security updates for GitHub Enterprise Server to fix several vulnerabilities, including a high-severity flaw that could allow code execution by attackers. Organizations are urged to apply these patches quickly to ensure system protection.
High-Risk Code Execution Vulnerability:
YouTube geo-blocks at least 4 Bangladeshi TV channels in India
Microsoft Patches Four Critical Azure and Power Apps Vulns
Qilin Ransomware topped April 2025 with 45+ data leak disclosures
SonicWall Patches 3 Flaws in SMA 100 Devices
Top Ransomware Actively Attacking Financial Sector: 406 Incidents Disclosed
Critical (CVSS 10) Flaw in Cisco IOS XE WLCs Allows RRA
CVE-2025-29824
Play Ransomware Exploited Windows CVE-2025-29824 as Zero-Day
Hacker exploited Samsung MagicINFO 9 Server RCE flaw
CISA adds Langflow flaw to its KEV catalog
Google Fixes Android Flaw (CVE-2025-27363) Exploited by Attackers
A vulnerability (CVE-2025-3509) in the pre-receive hook feature of GitHub Enterprise Server could allow attackers to execute arbitrary code, leading to privilege escalation and full system compromise. This flaw can be exploited by binding to temporarily available dynamically allocated ports, especially during a hot patch upgrade.
This vulnerability can only be exploited under specific conditions, like during the hot patching process. Additionally, it requires site administrator permissions or a user with rights to modify repositories with pre-receive hooks.
A medium-severity vulnerability (CVE-2025-3124) may let attackers see private repository names that a signed-in user shouldn’t access. This issue arises in the GitHub Advanced Security Overview because of a missing authorization check when using the filter “only archived:”.
Cross-Site Scripting Vulnerability:
A high-severity vulnerability (CVE-2025-3246) in GitHub’s Markdown rendering allows attackers to embed malicious HTML/CSS in math blocks ($$ .. $$), which could lead to cross-site scripting (XSS). Exploitation requires access to a targeted GitHub Enterprise Server and privileged user interaction. GitHub has addressed this issue by preventing math blocks from being escaped by dollar signs and enhancing the escape of non-wrapped content.
Affected Versions and Mitigations:
The following versions of GitHub Enterprise Server are affected:
Affected from 3.13.0 through 3.13.13; unaffected from 3.13.14
Affected from 3.14.0 through 3.14.10; unaffected from 3.14.11
Affected from 3.15.0 through 3.15.5; unaffected from 3.15.6
Affected from 3.16.0 through 3.16.1; unaffected from 3.16.2
GitHub has released patched versions to fix vulnerabilities. Administrators should upgrade their GitHub Enterprise Server to the latest version to maintain system and data security.
