CVE-2024-6800
published 2024-08-20CVE-2024-6800: An XML signature wrapping vulnerability was present in GitHub Enterprise Server (GHES) when using SAML authentication with specific identity providers…
PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.53%
71.5th percentile
An XML signature wrapping vulnerability was present in GitHub Enterprise Server (GHES) when using SAML authentication with specific identity providers utilizing publicly exposed signed federation metadata XML. This vulnerability allowed an attacker with direct network access to GitHub Enterprise Server to forge a SAML response to provision and/or gain access to a user with site administrator privileges. Exploitation of this vulnerability would allow unauthorized access to the instance without requiring prior authentication. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.13.3, 3.12.8, 3.11.14, and 3.10.16. This vulnerability was reported via the GitHub Bug Bounty program.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github | enterprise_server | >= 3.10.0 < 3.10.16 | 3.10.16 |
| github | enterprise_server | >= 3.11.0 < 3.11.14 | 3.11.14 |
| github | enterprise_server | >= 3.12.0 < 3.12.8 | 3.12.8 |
| github | enterprise_server | >= 3.13.0 < 3.13.3 | 3.13.3 |
| github | github_enterprise_server | 3.10.0 – 3.10.15 | — |
| github | github_enterprise_server | 3.11.0 – 3.11.13 | — |
| github | github_enterprise_server | 3.12.0 – 3.12.7 | — |
| github | github_enterprise_server | 3.13.0 – 3.13.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect forged SAML responses targeting GHES — monitor for SAML assertions granting site administrator privileges from unexpected or external identity providers ↗
- →Flag SAML authentication events that succeed without prior authentication state or session, particularly those resulting in new site administrator account provisioning ↗
- →Monitor GHES instances for XML signature wrapping patterns in SAML POST bindings — look for SAML responses containing multiple Assertion or Signature elements, a classic XSW indicator ↗
- →Audit GHES instances exposed on the public internet running versions prior to 3.13.3, 3.12.8, 3.11.14, or 3.10.16 as all prior versions are vulnerable ↗
- →Use FOFA or similar asset discovery to identify internet-exposed GHES instances (36,500+ identified publicly); prioritize those in the US (29,200) for patch verification ↗
- ·Vulnerability is only exploitable when SAML authentication is enabled AND the identity provider uses publicly exposed signed federation metadata XML — instances not using SAML or using private/unexposed federation metadata are not affected by this specific attack vector ↗
- ·Exploitation requires direct network access to the GHES instance — purely air-gapped or strictly firewalled instances with no attacker-reachable network path are at reduced risk ↗
- ·After applying the security update, some services may show configuration errors but the instance should still start correctly — admins should review the 'Known issues' section before patching ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.5CRITICALCVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:C/RE:H/U:Red
cisa7.2HIGH
vendor_cisco7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5wm9-5344-qrrj: An XML signature wrapping vulnerability was present in GitHub Enterprise Server (GHES) when utilizing SAML authentication with specific identity provi
ghsa_unreviewed·2024-08-20
CVE-2024-6800 [CRITICAL] CWE-347 GHSA-5wm9-5344-qrrj: An XML signature wrapping vulnerability was present in GitHub Enterprise Server (GHES) when utilizing SAML authentication with specific identity provi
An XML signature wrapping vulnerability was present in GitHub Enterprise Server (GHES) when utilizing SAML authentication with specific identity providers. This vulnerability allowed an attacker with direct network access to GitHub Enterprise Server to forge a SAML response to provision and/or gain access to a user with site administrator privileges. Exploitation of this vulnerability would allow unauthorized access to the instance without requiring prior authentication. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.13.3, 3.12.8, 3.11.14, and 3.10.16. This vulnerability was reported via the GitHub Bug Bounty program.
CISA
Mitel SIP Phones Argument Injection Vulnerability
cisa·2025-02-12·CVSS 7.2
CVE-2024-41710 [HIGH] CWE-88 Mitel SIP Phones Argument Injection Vulnerability
Vulnerability: Mitel SIP Phones Argument Injection Vulnerability
Affected: Mitel SIP Phones
Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones, including the 6970 Conference Unit, contain an argument injection vulnerability due to insufficient parameter sanitization during the boot process. Successful exploitation may allow an attacker to execute arbitrary commands within the context of the system.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://www.mitel.com/-/media/mitel/file/pdf/support/security-advisories/security-bulletin_24-0019-001-v2.pdf ; https://nvd.nist.gov/vuln/detail/CVE-2024-41710
Remediation Due Date: 2025-03-05
Cisco
Cisco 6800, 7800, 8800, and 9800 Series Phones with Multiplatform Firmware Stored Cross-Site Scripting Vulnerabilities
vendor_cisco·2024-11-06·CVSS 4.8
CVE-2024-20533 [MEDIUM] CWE-79 Cisco 6800, 7800, 8800, and 9800 Series Phones with Multiplatform Firmware Stored Cross-Site Scripting Vulnerabilities
Cisco 6800, 7800, 8800, and 9800 Series Phones with Multiplatform Firmware Stored Cross-Site Scripting Vulnerabilities
Multiple vulnerabilities in the web UI of Cisco Desk Phone 9800 Series, Cisco IP Phone 6800, 7800, and 8800 Series, and Cisco Video Phone 8875 with Cisco Multiplatform Firmware could allow an authenticated, remote attacker to conduct stored cross-site scripting (XSS) attacks against users.
These vulnerabilities exist because the web UI of an affected device does not properly validate user-supplied input. An attacker could exploit these vulnerabilities by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based in
Cisco
Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Vulnerabilities
vendor_cisco·2024-05-01·CVSS 7.5
CVE-2024-20357 [HIGH] CWE-305 Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Vulnerabilities
Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Vulnerabilities
Multiple vulnerabilities in Cisco IP Phone firmware could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition, gain unauthorized access, or view sensitive information on an affected system.
For more information about these vulnerabilities, see the Details section of this advisory.
Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.
This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipphone-multi-vulns-cXAhCvS
Cisco
Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Vulnerabilities
vendor_cisco·CVSS 3.1
CVE-2024-20376 Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Vulnerabilities
CVE-2024-20376: Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Vulnerabilities
Multiple vulnerabilities in Cisco IP Phone firmware could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition, gain unauthorized access, or view sensitive information on an affected system. For more information about these vulnerabilities, see the
CVSS: 3.1
CWE: CWE-305, CWE-787, CWE-305, CWE-787
Bug IDs: CSCwi64037, CSCwi64050, CSCwi64064, CSCwi64037, CSCwi64050
Cisco
Cisco 6800, 7800, 8800, and 9800 Series Phones with Multiplatform Firmware Stored Cross-Site Scripting Vulnerabilities
vendor_cisco·CVSS 3.1
CVE-2024-20534 Cisco 6800, 7800, 8800, and 9800 Series Phones with Multiplatform Firmware Stored Cross-Site Scripting Vulnerabilities
CVE-2024-20534: Cisco 6800, 7800, 8800, and 9800 Series Phones with Multiplatform Firmware Stored Cross-Site Scripting Vulnerabilities
Multiple vulnerabilities in the web UI of Cisco Desk Phone 9800 Series, Cisco IP Phone 6800, 7800, and 8800 Series, and Cisco Video Phone 8875 with Cisco Multiplatform Firmware could allow an authenticated, remote attacker to conduct stored cross-site scripting (XSS) attacks against users. These vulnerabilities exist because the web UI of an affected device does not properly validate user-supplied input. An attacker could exploit these vulnerabilities by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, br
Cisco
Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Vulnerabilities
vendor_cisco·CVSS 3.1
CVE-2024-20378 Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Vulnerabilities
CVE-2024-20378: Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Vulnerabilities
Multiple vulnerabilities in Cisco IP Phone firmware could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition, gain unauthorized access, or view sensitive information on an affected system. For more information about these vulnerabilities, see the
CVSS: 3.1
CWE: CWE-305, CWE-787, CWE-305, CWE-787
Bug IDs: CSCwi64037, CSCwi64050, CSCwi64064, CSCwi64037, CSCwi64050
Cisco
Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Vulnerabilities
vendor_cisco·CVSS 3.1
CVE-2024-20357 Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Vulnerabilities
CVE-2024-20357: Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Vulnerabilities
Multiple vulnerabilities in Cisco IP Phone firmware could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition, gain unauthorized access, or view sensitive information on an affected system. For more information about these vulnerabilities, see the
CVSS: 3.1
CWE: CWE-305, CWE-787, CWE-305, CWE-787
Bug IDs: CSCwi64037, CSCwi64050, CSCwi64064, CSCwi64037, CSCwi64050
Cisco
Cisco 6800, 7800, 8800, and 9800 Series Phones with Multiplatform Firmware Stored Cross-Site Scripting Vulnerabilities
vendor_cisco·CVSS 3.1
CVE-2024-20533 Cisco 6800, 7800, 8800, and 9800 Series Phones with Multiplatform Firmware Stored Cross-Site Scripting Vulnerabilities
CVE-2024-20533: Cisco 6800, 7800, 8800, and 9800 Series Phones with Multiplatform Firmware Stored Cross-Site Scripting Vulnerabilities
Multiple vulnerabilities in the web UI of Cisco Desk Phone 9800 Series, Cisco IP Phone 6800, 7800, and 8800 Series, and Cisco Video Phone 8875 with Cisco Multiplatform Firmware could allow an authenticated, remote attacker to conduct stored cross-site scripting (XSS) attacks against users. These vulnerabilities exist because the web UI of an affected device does not properly validate user-supplied input. An attacker could exploit these vulnerabilities by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, br
Suricata
ET WEB_SPECIFIC_APPS Mitel 6800 802.1x Support Command Injection (CVE-2024-41710)
suricata·2025-01-30·CVSS 7.2
CVE-2024-41710 [HIGH] ET WEB_SPECIFIC_APPS Mitel 6800 802.1x Support Command Injection (CVE-2024-41710)
ET WEB_SPECIFIC_APPS Mitel 6800 802.1x Support Command Injection (CVE-2024-41710)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Mitel 6800 802.1x Support Command Injection (CVE-2024-41710)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/8021xsupport.html"; fast_pattern; http.request_body; content:"802|2e|1x|2b|identity|3d|"; pcre:"/^[^\x26]*?\x25(?:\x21d\x28|dt)/R"; reference:url,www.akamai.com/blog/security-research/2025-january-new-aquabot-mirai-variant-exploiting-mitel-phones; reference:cve,2024-41710; classtype:web-application-attack; sid:2059785; rev:1; metadata:affected_product Mitel, attack_target Server, tls_state TLSDecrypt, created_at 2025_01_30, cve CVE_2024_41710, deployment Perimeter, deployment Internal, deploym
No public exploits indexed.
Bleepingcomputer
GitHub Enterprise Server vulnerable to critical auth bypass flaw
blogs_bleepingcomputer·2024-08-21·CVSS 5.9
CVE-2024-6800 [MEDIUM] GitHub Enterprise Server vulnerable to critical auth bypass flaw
## GitHub Enterprise Server vulnerable to critical auth bypass flaw
## Bill Toulas
A critical vulnerability affecting multiple versions of GitHub Enterprise Server could be exploited to bypass authentication and enable an attacker to gain administrator privileges on the machine.
The security issue is identified as CVE-2024-6800 and received a 9.5 severity rating as per the CVSS 4.0 standard. It is described as an XML signature wrapping problem that occurs when using the Security Assertion Markup Language (SAML) authentication standard with certain identity providers.
GitHub Enterprise Server (GHES) is a local version of GitHub for businesses that lack the experience for working with the public cloud or want to manage access and security controls.
According to the FOFA search engine fo
HackerOne
SAML Signature verification bypass allows logging into any user (with specific conditions)
hackerone·2024-10-10·CVSS 9.8
[CRITICAL] SAML Signature verification bypass allows logging into any user (with specific conditions)
SAML Signature verification bypass allows logging into any user (with specific conditions)
An XML signature wrapping vulnerability was present in GitHub Enterprise Server (GHES) when using SAML authentication with specific identity providers utilizing publicly exposed signed federation metadata XML. This vulnerability allowed an attacker with direct network access to GitHub Enterprise Server to forge a SAML response to provision and/or gain access to a user with site administrator privileges. Exploitation of this vulnerability would allow unauthorized access to the instance without requiring prior authentication. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.13.3, 3.12.8, 3.11.14, and 3.10.16.
[CVE-2024-6800](https://nvd.nis
2024-08-20
Published