GHSA-469h-mqg8-535r

Suggest an improvement
Source
https://github.com/advisories/GHSA-469h-mqg8-535r
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-469h-mqg8-535r/GHSA-469h-mqg8-535r.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-469h-mqg8-535r
Aliases
Published
2023-07-11T22:47:01Z
Modified
2023-11-07T05:36:05.572145Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Decidim Cross-site Scripting vulnerability in the external link redirections
Details

Impact

The external link feature is susceptible to Cross-site scripting. This allows a remote attacker to execute JavaScript code in the context of a currently logged-in user. An attacker could use this vulnerability to make other users endorse or support proposals they have no intention of supporting or endorsing.

Patches

The problem was patched in v0.27.3 and v0.26.7

Database specific
{
    "nvd_published_at": "2023-07-11T18:15:14Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-11T22:47:01Z"
}
References

Affected packages

RubyGems / decidim

Package

Name
decidim
Purl
pkg:gem/decidim

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.25.0
Fixed
0.26.7

Affected versions

0.*

0.25.0
0.25.1
0.25.2
0.26.0.rc2
0.26.0
0.26.1
0.26.2
0.26.3
0.26.4
0.26.5

RubyGems / decidim-core

Package

Name
decidim-core
Purl
pkg:gem/decidim-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.27.0
Fixed
0.27.3

Affected versions

0.*

0.27.0
0.27.1
0.27.2

RubyGems / decidim-core

Package

Name
decidim-core
Purl
pkg:gem/decidim-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.25.0
Fixed
0.26.7

Affected versions

0.*

0.25.0
0.25.1
0.25.2
0.26.0.rc1
0.26.0.rc2
0.26.0
0.26.1
0.26.2
0.26.3
0.26.4
0.26.5

RubyGems / decidim

Package

Name
decidim
Purl
pkg:gem/decidim

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.27.0
Fixed
0.27.3

Affected versions

0.*

0.27.0
0.27.1
0.27.2