{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-3246", "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760", "state": "PUBLISHED", "assignerShortName": "GitHub_P", "dateReserved": "2025-04-03T22:33:59.558Z", "datePublished": "2025-04-17T22:50:22.215Z", "dateUpdated": "2025-04-18T12:01:53.671Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "GitHub Enterprise Server", "vendor": "GitHub", "versions": [{"changes": [{"at": "3.16.2", "status": "unaffected"}], "lessThanOrEqual": "3.16.1", "status": "affected", "version": "3.16", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Andr\u00e9 Storfjord Kristiansen"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed cross-site scripting in GitHub Markdown that used `$$..$$` math blocks. Exploitation required access to the target GitHub Enterprise Server instance and privileged user interaction with the malicious elements. This vulnerability affected version 3.16.1 of GitHub Enterprise Server and was fixed in version 3.16.2. This vulnerability was reported via the GitHub Bug Bounty program.<br><br>"}], "value": "An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed cross-site scripting in GitHub Markdown that used `$$..$$` math blocks. Exploitation required access to the target GitHub Enterprise Server instance and privileged user interaction with the malicious elements. This vulnerability affected version 3.16.1 of GitHub Enterprise Server and was fixed in version 3.16.2. This vulnerability was reported via the GitHub Bug Bounty program."}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 8.6, "baseSeverity": "HIGH", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760", "shortName": "GitHub_P", "dateUpdated": "2025-04-17T22:50:22.215Z"}, "references": [{"url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.2"}], "source": {"discovery": "EXTERNAL"}, "title": "Markdown math block sanitization bypass allows privilege escalation and unauthorized workflow triggers", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-18T11:44:25.310657Z", "id": "CVE-2025-3246", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-18T12:01:53.671Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-3246", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-18T11:44:25.310657Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-18T11:44:31.412Z"}}], "cna": {"title": "Markdown math block sanitization bypass allows privilege escalation and unauthorized workflow triggers", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Andr\u00e9 Storfjord Kristiansen"}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.6, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "GitHub", "product": "GitHub Enterprise Server", "versions": [{"status": "affected", "changes": [{"at": "3.16.2", "status": "unaffected"}], "version": "3.16", "versionType": "semver", "lessThanOrEqual": "3.16.1"}], "defaultStatus": "affected"}], "references": [{"url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.2"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed cross-site scripting in GitHub Markdown that used `$$..$$` math blocks. Exploitation required access to the target GitHub Enterprise Server instance and privileged user interaction with the malicious elements. This vulnerability affected version 3.16.1 of GitHub Enterprise Server and was fixed in version 3.16.2. This vulnerability was reported via the GitHub Bug Bounty program.", "supportingMedia": [{"type": "text/html", "value": "An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed cross-site scripting in GitHub Markdown that used `$$..$$` math blocks. Exploitation required access to the target GitHub Enterprise Server instance and privileged user interaction with the malicious elements. This vulnerability affected version 3.16.1 of GitHub Enterprise Server and was fixed in version 3.16.2. This vulnerability was reported via the GitHub Bug Bounty program.<br><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760", "shortName": "GitHub_P", "dateUpdated": "2025-04-17T22:50:22.215Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3246", "state": "PUBLISHED", "dateUpdated": "2025-04-18T12:01:53.671Z", "dateReserved": "2025-04-03T22:33:59.558Z", "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760", "datePublished": "2025-04-17T22:50:22.215Z", "assignerShortName": "GitHub_P"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:github:enterprise_server:3.16.1:*:*:*:*:*:*:*", "matchCriteriaId": "C916F330-E6B5-478B-9525-F8AC38472743", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed cross-site scripting in GitHub Markdown that used `$$..$$` math blocks. Exploitation required access to the target GitHub Enterprise Server instance and privileged user interaction with the malicious elements. This vulnerability affected version 3.16.1 of GitHub Enterprise Server and was fixed in version 3.16.2. This vulnerability was reported via the GitHub Bug Bounty program."}, {"lang": "es", "value": "Se identific\u00f3 una vulnerabilidad de neutralizaci\u00f3n de entrada incorrecta en GitHub Enterprise Server que permit\u00eda cross-site scripting en GitHub Markdown que utilizaban bloques matem\u00e1ticos `$$..$$`. Su explotaci\u00f3n requer\u00eda acceso a la instancia de GitHub Enterprise Server objetivo e interacci\u00f3n de usuario privilegiado con los elementos maliciosos. Esta vulnerabilidad afect\u00f3 a la versi\u00f3n 3.16.1 de GitHub Enterprise Server y se corrigi\u00f3 en la versi\u00f3n 3.16.2. Esta vulnerabilidad se report\u00f3 a trav\u00e9s del programa de recompensas por errores de GitHub."}], "id": "CVE-2025-3246", "lastModified": "2025-09-05T15:00:02.387", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "product-cna@github.com", "type": "Secondary"}]}, "published": "2025-04-17T23:15:42.123", "references": [{"source": "product-cna@github.com", "tags": ["Release Notes"], "url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.2"}], "sourceIdentifier": "product-cna@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "product-cna@github.com", "type": "Secondary"}]}

{}