This might look really funny, but consider this: The javascript you are executing there runs on the github domain. So it can do whatever you can do by manually clicking.
The injected script could for example submit a new SSH public key for your account (doesn't require your password again). Or just be funny and delete repos. Or just upgrading your account to a bigger, more expensive plan.
Or they could get a list of your private repositories. Combine that with the upload of a new private key and you'll get free access to proprietary code of any account.
Aside of fixing the XSS issue, they really should ask for the password again when uploading a public key.
The injected script could for example submit a new SSH public key for your account (doesn't require your password again). Or just be funny and delete repos. Or just upgrading your account to a bigger, more expensive plan.
Or they could get a list of your private repositories. Combine that with the upload of a new private key and you'll get free access to proprietary code of any account.
Aside of fixing the XSS issue, they really should ask for the password again when uploading a public key.