CVE-2024-8770: 
GitHub Enterprise Server vulnerability analysis and mitigation

A Cross-Site Scripting (XSS) vulnerability (CVE-2024-8770) was identified in the repository transfer feature of GitHub Enterprise Server. The vulnerability allows attackers to steal sensitive user information through social engineering. This vulnerability affected all versions of GitHub Enterprise Server and was fixed in versions 3.10.17, 3.11.15, 3.12.9, 3.13.4, and 3.14.1. The vulnerability was reported through the GitHub Bug Bounty program (NVD).

The vulnerability is classified as a Cross-Site Scripting (CWE-79) issue, specifically involving improper neutralization of input during web page generation. According to the CVSS 3.1 scoring, it has a base score of 6.1 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The CVSS 4.0 assessment by GitHub rates it at 5.8 (MEDIUM) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:L/VA:N/SC:L/SI:N/SA:N (NVD).

The vulnerability enables attackers to steal sensitive user information through social engineering tactics. The attack requires user interaction and can result in the compromise of confidential data (NVD).

The vulnerability has been patched in GitHub Enterprise Server versions 3.10.17, 3.11.15, 3.12.9, 3.13.4, and 3.14.1. Users are advised to upgrade to these or later versions to mitigate the risk (GitHub Release Notes).