{"vulnerability": "cve-2023-26493", "sightings": [{"uuid": "9c1e3214-7b8d-4675-9aeb-95f72851e4fb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-26493", "type": "seen", "source": "https://t.me/cibsecurity/60847", "content": "\u203c CVE-2023-26493 \u203c\n\nCocos Engine is an open-source framework for building 2D & 3D real-time rendering and interactive content. In the github repo for Cocos Engine the `web-interface-check.yml` was subject to command injection. The `web-interface-check.yml` was triggered when a pull request was opened or updated and contained the user controllable field `(${{ github.head_ref }} \u00e2\u20ac\u201c the name of the fork\u00e2\u20ac\u2122s branch)`. This would allow an attacker to take over the GitHub Runner and run custom commands (potentially stealing secrets such as GITHUB_TOKEN) and altering the repository. The workflow has since been removed for the repository. There are no actions required of users.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-03-28T02:26:17.000000Z"}]}