Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
LiveCodes vulnerable to JavaScript Injection via untrusted PR title in i18n-update-pull workflow
Vulnerability Description
LiveCode is an open-source, client-side code playground. Prior to commit e151c64c2bd80d2d53ac1333f1df9429fe6a1a11, LiveCode's `i18n-update-pull` GitHub Actions workflow is vulnerable to JavaScript injection. The title of the Pull Request associated with the triggering issue comment is interpolated directly into a `actions/github-script` JavaScript block using a GitHub Actions template expression. An attacker who opens a PR with a crafted title can inject arbitrary JavaScript that executes with the privileges of the CI bot token (`CI_APP_ID` / `CI_APP_PRIVATE_KEY`), enabling exfiltration of repository secrets and unauthorized GitHub API operations. Commit e151c64c2bd80d2d53ac1333f1df9429fe6a1a11 fixes the issue.
CVSS Information
N/A
Vulnerability Type
对生成代码的控制不恰当(代码注入)
Vulnerability Title
LiveCode 代码注入漏洞
Vulnerability Description
LiveCode是LiveCode团队的一款多平台编程工具,可在iOS、Android、OS X、Windows 95到Windows 10、Raspberry Pi和多种 Unix 变体(包括 Linux、Solaris 和 BSD)上运行。 LiveCode存在代码注入漏洞,该漏洞源于i18n-update-pull GitHub Actions工作流存在JavaScript注入漏洞,与触发问题评论关联的拉取请求标题使用GitHub Actions模板表达式直接插入到actions/github-sc
CVSS Information
N/A
Vulnerability Type
N/A