GHSA-5652-92r9-3fx9

Source

https://github.com/advisories/GHSA-5652-92r9-3fx9

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-5652-92r9-3fx9/GHSA-5652-92r9-3fx9.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-5652-92r9-3fx9

Aliases

CVE-2023-34089

Published

2023-07-11T22:46:57Z

Modified

2023-11-07T05:31:13.702665Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N CVSS Calculator

Summary

Decidim Cross-site Scripting vulnerability in the processes filter

Details

Impact

The processes filter feature is susceptible to Cross-site scripting. This allows a remote attacker to execute JavaScript code in the context of a currently logged-in user. An attacker could use this vulnerability to make other users endorse or support proposals they have no intention of supporting or endorsing.

Patches

The problem was patched in v0.27.3 and v0.26.7

Database specific

{
    "nvd_published_at": "2023-07-11T18:15:16Z",
    "github_reviewed_at": "2023-07-11T22:46:57Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "github_reviewed": true,
    "severity": "HIGH"
}

References

Affected packages

RubyGems / decidim

Package

Name: decidim
Purl: pkg:gem/decidim

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.14.0

Fixed

0.26.7

Affected versions

0.*

0.14.1

0.14.2

0.14.3

0.14.4

0.15.0

0.15.1

0.15.2

0.16.0

0.16.1

0.17.0

0.17.1

0.17.2

0.18.0

0.18.1

0.19.0

0.19.1

0.20.0

0.20.1

0.21.0

0.22.0

0.23.0

0.23.1.rc1

0.23.1

0.23.2

0.23.3

0.23.4

0.23.5

0.23.6

0.24.0.rc1

0.24.0.rc2

0.24.0

0.24.1

0.24.2

0.24.3

0.25.0.rc1

0.25.0.rc2

0.25.0.rc3

0.25.0.rc4

0.25.0

0.25.1

0.25.2

0.26.0.rc2

0.26.0

0.26.1

0.26.2

0.26.3

0.26.4

0.26.5

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-5652-92r9-3fx9/GHSA-5652-92r9-3fx9.json"

RubyGems / decidim

Package

Name: decidim
Purl: pkg:gem/decidim

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.27.0

Fixed

0.27.3

Affected versions

0.*

0.27.0

0.27.1

0.27.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-5652-92r9-3fx9/GHSA-5652-92r9-3fx9.json"

RubyGems / decidim-core

Package

Name: decidim-core
Purl: pkg:gem/decidim-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.14.0

Fixed

0.26.7

Affected versions

0.*

0.14.1

0.14.2

0.14.3

0.14.4

0.15.0

0.15.1

0.15.2

0.16.0

0.16.1

0.17.0

0.17.1

0.17.2

0.18.0

0.18.1

0.19.0

0.19.1

0.20.0

0.20.1

0.21.0

0.22.0

0.23.0

0.23.1.rc1

0.23.1

0.23.2

0.23.3

0.23.4

0.23.5

0.23.6

0.24.0.rc1

0.24.0.rc2

0.24.0

0.24.1

0.24.2

0.24.3

0.25.0.rc1

0.25.0.rc2

0.25.0.rc3

0.25.0.rc4

0.25.0

0.25.1

0.25.2

0.26.0.rc1

0.26.0.rc2

0.26.0

0.26.1

0.26.2

0.26.3

0.26.4

0.26.5

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-5652-92r9-3fx9/GHSA-5652-92r9-3fx9.json"

RubyGems / decidim-core

Package

Name: decidim-core
Purl: pkg:gem/decidim-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.27.0

Fixed

0.27.3

Affected versions

0.*

0.27.0

0.27.1

0.27.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-5652-92r9-3fx9/GHSA-5652-92r9-3fx9.json"