@ChALkeR discovered that our HTML sanitization library was allowing arbitrary user-controlled
class attributes on
Given the variety of possible impacts of user-controlled
class attributes, we worked under the assumption that this bug’s impact was the same as CSRF. We identified that the bug was a regression introduced several months ago. During our investigation, we found a similar regression affecting another element. We addressed the vulnerabilities by removing the
class attribute from the HTML sanitization whitelist for the affected elements. We have added integration and linting tests to ensure that similar bugs are not introduced and that changes to these whitelists receive further scrutinty from our security team in the future.
Fixes for this bug were included in GitHub Enterprise versions 2.6.19, 2.7.14, 2.8.10, and 2.9.2.