CVE-2024-1084: 
GitHub Enterprise Server vulnerability analysis and mitigation

Cross-site Scripting (XSS) vulnerability was discovered in the tag name pattern field in the tag protections UI of GitHub Enterprise Server. The vulnerability affects all versions prior to 3.12 and was fixed in versions 3.11.5, 3.10.7, 3.9.10, and 3.8.15. This vulnerability was reported through the GitHub Bug Bounty program (GitHub Release Notes).

The vulnerability is classified as a Cross-site Scripting (CWE-79) issue that allows a malicious website to make changes to a user account via CSP bypass with created CSRF tokens. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability requires user interaction and social engineering to exploit. If successfully exploited, it allows attackers to make unauthorized changes to a user account through a malicious website (NVD).

The vulnerability has been fixed in GitHub Enterprise Server versions 3.11.5, 3.10.7, 3.9.10, and 3.8.15. Users should upgrade to these patched versions or later to mitigate the vulnerability (GitHub Release Notes).