InfoSecBulletin Cybersecurity for mankind
GitHub has released security updates for GitHub Enterprise Server to fix several vulnerabilities, including a high-severity flaw that could allow code execution by attackers. Organizations are urged to apply these patches quickly to ensure system protection.
High-Risk Code Execution Vulnerability:
Russia detects first SuperCard malware attacks via NFC
Income Property Investments exposes 170,000+ Individuals record
ALERT (CVE: 2023-28771)
Zyxel Firewalls Under Attack via CVE-2023-28771 by 244 IPs
CISA Flags Active Exploits in Apple iOS and TP-Link Routers
10K Records Allegedly from Mac Cloud Provider’s Customers Leaked Online
Canada 2nd largest airlines “WestJet” investigates cyberattack disrupting internal systems
Paraguay 7.4 Million Citizen Records Leaked on Dark Web
High-Severity Flaw in HashiCorp Nomad Allows Privilege Escalation
SoftBank: Over 137,000 personal info leaked
Alert
Trend Micro Apex One Flaw Allow Attackers to Inject Malicious Code
A vulnerability (CVE-2025-3509) in the pre-receive hook feature of GitHub Enterprise Server could allow attackers to execute arbitrary code, leading to privilege escalation and full system compromise. This flaw can be exploited by binding to temporarily available dynamically allocated ports, especially during a hot patch upgrade.
This vulnerability can only be exploited under specific conditions, like during the hot patching process. Additionally, it requires site administrator permissions or a user with rights to modify repositories with pre-receive hooks.
A medium-severity vulnerability (CVE-2025-3124) may let attackers see private repository names that a signed-in user shouldn’t access. This issue arises in the GitHub Advanced Security Overview because of a missing authorization check when using the filter “only archived:”.
Cross-Site Scripting Vulnerability:
A high-severity vulnerability (CVE-2025-3246) in GitHub’s Markdown rendering allows attackers to embed malicious HTML/CSS in math blocks ($$ .. $$), which could lead to cross-site scripting (XSS). Exploitation requires access to a targeted GitHub Enterprise Server and privileged user interaction. GitHub has addressed this issue by preventing math blocks from being escaped by dollar signs and enhancing the escape of non-wrapped content.
Affected Versions and Mitigations:
The following versions of GitHub Enterprise Server are affected:
Affected from 3.13.0 through 3.13.13; unaffected from 3.13.14
Affected from 3.14.0 through 3.14.10; unaffected from 3.14.11
Affected from 3.15.0 through 3.15.5; unaffected from 3.15.6
Affected from 3.16.0 through 3.16.1; unaffected from 3.16.2
GitHub has released patched versions to fix vulnerabilities. Administrators should upgrade their GitHub Enterprise Server to the latest version to maintain system and data security.
