@benhc123 reported that the endpoint for the
Report abuse button on Gists was vulnerable to CSRF. We addressed this issue by not allowing
GET requests to this endpoint.
@benhc123 notified us about a potential vulnerability that could allow certain responses from our servers to be treated by the browser as a Flash file. An exploit of this could allow an attacker to host a specially crafted Flash file on gist.githubusercontent.com, allowing for XSS or other attacks. This was considered a low severity vulnerability, as gist.githubusercontent.com is a domain reserved for serving untrusted user content and does not allow an attacker to access resources on gist.github.com or github.com. We addressed this issue by improving our
content-type detection and modifying the servers’ responses to ensure that they are not treated as Flash files.