Liberapay: Publicly editable GitHub wikis

ID H1:460121
Type hackerone
Reporter strukt
Modified 2018-12-12T18:37:04


Hello team,

While browsing I found that many of the repositories have their wikis publicly editable by any GitHub user. The following are some of the affected repositories:

I went on and created the following wiki page as a PoC:


This enables an attacker to edit the wiki pages of the affected repositories completely remotely, adding content that may link to malicious code libraries that would be installed and used by developers or information that may mislead your users.