500 pts
@rhyselsmore discovered that the endpoint we use to preview Markdown content would render as a standalone page via a GET request. Rendered Markdown is sanitized to prevent malicious content, such as injected JavaScript, but links to third party sites are allowed. Normally, links to third party sites are not a likely phishing vector, as rendered Markdown clearly shows that a GitHub user authored the content. However, because the preview endpoint could be rendered as a standalone page, it was not clear who authored the content, and could result in a fairly convincing phishing scenario. We addressed the vulnerability by restricting the endpoint to POST requests that are not accessible to an attacker.
