Flaw in Microsoft-owned GitHub repository allowed RCE via issue submission
www.scworld.com
Attackers could have extracted a GITHUB_TOKEN secret, potentially enabling unauthorized changes.
  • whats_a_lemmy@midwest.socialEnglish
    0·
    7 days ago

    A GitHub Actions workflow caused the body of any issue created on the repo to be directly inserted into a Python here-doc without sanitization, Tenable said. An attacker could have used triple-quote string terminators to escape the string literal, injecting Python code to be executed.

    Hey siri why do we distrust user input