@hughdavenport reported a stored XSS vulnerability on the pull request page. Pull requests for branches with HTML in the name would result in attacker-controlled HTML being injected into the page.
While exploitation of this vulnerability was prevented by our use of CSP, we still took the threat seriously. We addressed the behavior by properly escaping the branch name on the pull request page. A fix for this vulnerability is included in GitHub Enterprise v2.1.6.
@hughdavenport found that webhooks could be configured to make requests to internal network resources. This behavior had previously been blocked with application and host level protections, but internal and local IPv6 addresses were not being blocked.
The vulnerability was mitigated by adding host firewall rules preventing webhook processes from making these requests. This was determined to be low risk for GitHub Enterprise instances. A fix will be included in GitHub Enterprise 2.2.