CVE-2025-14046
中文标题:
(暂无数据)
英文标题:
Insufficient HTML Sanitization Allows User-Controlled DOM Elements to Overwrite Server-Initialized Data Islands and Trigger Unintended Server-Side POST Requests
漏洞描述
中文描述:
(暂无数据)
英文描述:
An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed user-supplied HTML to inject DOM elements with IDs that collided with server-initialized data islands. These collisions could overwrite or shadow critical application state objects used by certain Project views, leading to unintended server-side POST requests or other unauthorized backend interactions. Successful exploitation requires an attacker to have access to the target GitHub Enterprise Server instance and to entice a privileged user to view crafted malicious content that includes conflicting HTML elements. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18.3, 3.17.9, 3.16.12, 3.15.16, and 3.14.21.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| GitHub | Enterprise Server | - | ≤ 3.18.2 | - |
cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*
|
| github | enterprise_server | * | - | - |
cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
CVSS评分详情
4.0 (cna)
HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2025-14046 |
2025-12-12 03:20:59 | 2026-01-12 02:11:06 |
| NVD | nvd_CVE-2025-14046 |
2025-12-20 03:16:53 | 2026-01-12 02:27:30 |
版本与语言
安全公告
变更历史
查看详细变更
- affected_products_count: 5 -> 2
- data_sources: ['cve'] -> ['cve', 'nvd']