GHSA-529p-jj47-w3m3

Suggest an improvement
Source
https://github.com/advisories/GHSA-529p-jj47-w3m3
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-529p-jj47-w3m3/GHSA-529p-jj47-w3m3.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-529p-jj47-w3m3
Aliases
  • CVE-2024-27095
Published
2024-07-10T16:02:07Z
Modified
2024-07-11T21:47:13.169424Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N CVSS Calculator
  • 6.8 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N CVSS Calculator
Summary
Decidim cross-site scripting (XSS) in the admin panel
Details

Impact

The admin panel is subject to potential XSS attach in case the attacker manages to modify some records being uploaded to the server.

The attacker is able to change e.g. to <svg onload=alert('XSS')> if they know how to craft these requests themselves. And then enter the returned blob ID to the form inputs manually by modifying the edit page source.

Patches

Available in versions 0.27.6 and 0.28.1.

Workarounds

Review the user accounts that have access to the admin panel (i.e. general Administrators, and participatory space's Administrators) and remove access to them if they don't need it.

References

OWASP ASVS v4.0.3-5.1.3

Database specific
{
    "nvd_published_at": "2024-07-10T19:15:10Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-10T16:02:07Z"
}
References

Affected packages

RubyGems / decidim-admin

Package

Name
decidim-admin
Purl
pkg:gem/decidim-admin

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.27.6

Affected versions

0.*

0.0.1.alpha3
0.0.1.alpha4
0.0.1.alpha5
0.0.1.alpha6
0.0.1.alpha7
0.0.1.alpha8
0.0.1.alpha9
0.0.1
0.0.2
0.0.3
0.0.5
0.0.6
0.0.7
0.0.8.1
0.1.0
0.2.0
0.3.0
0.3.1
0.3.2
0.4.0
0.4.1
0.4.2
0.4.3
0.4.4
0.5.0
0.5.1
0.6.0
0.6.1
0.6.2
0.6.3
0.6.4
0.6.5
0.6.6
0.6.7
0.6.8
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
0.8.0
0.8.1
0.8.2
0.8.3
0.8.4
0.9.0
0.9.1
0.9.2
0.9.3
0.10.0
0.10.1
0.11.0.pre1
0.11.1
0.11.2
0.12.0.pre
0.12.0
0.12.1
0.12.2
0.13.0.pre1
0.13.0
0.13.1
0.14.1
0.14.2
0.14.3
0.14.4
0.15.0
0.15.1
0.15.2
0.16.0
0.16.1
0.17.0
0.17.1
0.17.2
0.18.0
0.18.1
0.19.0
0.19.1
0.20.0
0.20.1
0.21.0
0.22.0
0.23.0
0.23.1.rc1
0.23.1
0.23.2
0.23.3
0.23.4
0.23.5
0.23.6
0.24.0.rc1
0.24.0.rc2
0.24.0
0.24.1
0.24.2
0.24.3
0.25.0.rc1
0.25.0.rc2
0.25.0.rc3
0.25.0.rc4
0.25.0
0.25.1
0.25.2
0.26.0.rc1
0.26.0.rc2
0.26.0
0.26.1
0.26.2
0.26.3
0.26.4
0.26.5
0.26.7
0.26.8
0.26.9
0.26.10
0.27.0.rc1
0.27.0.rc2
0.27.0
0.27.1
0.27.2
0.27.3
0.27.4
0.27.5

RubyGems / decidim-admin

Package

Name
decidim-admin
Purl
pkg:gem/decidim-admin

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.28.0.rc1
Fixed
0.28.1

Affected versions

0.*

0.28.0.rc4
0.28.0.rc5
0.28.0