Command injection

Cocos Engine is an open-source framework for building 2D & 3D real-time rendering and interactive content. In the github repo for Cocos Engine the web-interface-check.yml was subject to command injection. The web-interface-check.yml was triggered when a pull request was opened or updated and...

CVE-2023-26493 Command Injection in Cocos Engine workflow

Cocos Engine is an open-source framework for building 2D & 3D real-time rendering and interactive content. In the github repo for Cocos Engine the web-interface-check.yml was subject to command injection. The web-interface-check.yml was triggered when a pull request was opened or updated and...

CVE-2023-26493 Command Injection in Cocos Engine workflow

Cocos Engine is an open-source framework for building 2D & 3D real-time rendering and interactive content. In the github repo for Cocos Engine the web-interface-check.yml was subject to command injection. The web-interface-check.yml was triggered when a pull request was opened or updated and...

CVE-2023-26493

The CVE-2023-26493 case affects Cocos Engine and concerns a command-injection risk in the repository’s web-interface-check.yml workflow. The vulnerability arises when a pull request triggers a workflow containing the user-controlled field (${ { github.head_ref } }), enabling an attacker to potent...

CVE-2023-26493 Command Injection in Cocos Engine workflow

Cocos Engine is an open-source framework for building 2D & 3D real-time rendering and interactive content. In the github repo for Cocos Engine the web-interface-check.yml was subject to command injection. The web-interface-check.yml was triggered when a pull request was opened or updated and...

CVE-2023-28430 OneSignal repository github action command injection

OneSignal is an email, sms, push notification, and in-app message service for mobile apps.The Zapier.yml workflow is triggered on issues types: closed i.e., when an Issue is closed. The workflow starts with full write-permissions GitHub repository token since the default workflow permissions on...

OneSignal命令注入漏洞

OneSignal is a push notification, email, and SMS application from OneSignal. OneSignal suffers from a command injection vulnerability. An attacker could use the vulnerability to take over GitHub Runner and run custom commands to steal sensitive information or make changes to the repository...

GitHub Slug action 命令注入漏洞

GitHub Slug action is a tool for exposing the slug values of GitHub environment variables in GitHub workflows. A command injection vulnerability exists in GitHub Slug action version 4.0.0 through versions prior to 4.4.1. An attacker could use this vulnerability to execute code on the GitHub runne...

GHSA-4XQX-PQPJ-9FQW gajira-create GitHub action vulnerable to arbitrary code execution

Impact An attacker can execute arbitrary code in the context of a GitHub runner by creating a specially crafted GitHub issue. Patches This issue is patched in gajira-create version 2.0.1. Workarounds There are no known workarounds. References GitHub Security Lab advisory GHSL-2020-172...

gajira-create GitHub action vulnerable to arbitrary code execution

Impact An attacker can execute arbitrary code in the context of a GitHub runner by creating a specially crafted GitHub issue. Patches This issue is patched in gajira-create version 2.0.1. Workarounds There are no known workarounds. References GitHub Security Lab advisory GHSL-2020-172...

Code injection

The preprocessArgs function in the Atlassian gajira-create GitHub Action before version 2.0.1 allows remote attackers to execute arbitrary code in the context of a GitHub runner by creating a specially crafted GitHub issue...

CVE-2020-14188

The preprocessArgs function in the Atlassian gajira-create GitHub Action before version 2.0.1 allows remote attackers to execute arbitrary code in the context of a GitHub runner by creating a specially crafted GitHub issue...