Vulnerabilites related to decidim - decidim
Vulnerability from fkie_nvd
Published
2023-07-11 18:15
Modified
2024-11-21 08:06
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. Decidim uses a third-party library named Ransack for filtering certain database collections (e.g., public meetings). By default, this library allows filtering on all data attributes and associations. This allows an unauthenticated remote attacker to exfiltrate non-public data from the underlying database of a Decidim instance (e.g., exfiltrating data from the user table). This issue may lead to Sensitive Data Disclosure. The problem was patched in version 0.27.3.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:decidim:decidim:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "E9D93E20-6119-4518-9533-55AECCB477E3",
"versionEndExcluding": "0.27.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. Decidim uses a third-party library named Ransack for filtering certain database collections (e.g., public meetings). By default, this library allows filtering on all data attributes and associations. This allows an unauthenticated remote attacker to exfiltrate non-public data from the underlying database of a Decidim instance (e.g., exfiltrating data from the user table). This issue may lead to Sensitive Data Disclosure. The problem was patched in version 0.27.3. "
}
],
"id": "CVE-2023-34090",
"lastModified": "2024-11-21T08:06:31.323",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-07-11T18:15:16.233",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.27.3"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-jm79-9pm4-vrw9"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-jm79-9pm4-vrw9#advisory-comment-81110"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.27.3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-jm79-9pm4-vrw9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-jm79-9pm4-vrw9#advisory-comment-81110"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-11-13 17:15
Modified
2025-02-28 15:52
Severity ?
7.7 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Decidim is a participatory democracy framework. The meeting embeds feature used in the online or hybrid meetings is subject to potential XSS attack through a malformed URL. This vulnerability is fixed in 0.28.3 and 0.29.0.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/decidim/decidim/security/advisories/GHSA-j4h6-gcj7-7v9v | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:decidim:decidim:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "296B5B0A-813C-4519-ABFE-F2D80245AE41",
"versionEndExcluding": "0.28.3",
"versionStartIncluding": "0.28.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Decidim is a participatory democracy framework. The meeting embeds feature used in the online or hybrid meetings is subject to potential XSS attack through a malformed URL. This vulnerability is fixed in 0.28.3 and 0.29.0."
},
{
"lang": "es",
"value": "Decidim es un framework de democracia participativa. La funci\u00f3n de integraci\u00f3n de reuniones que se utiliza en las reuniones en l\u00ednea o h\u00edbridas est\u00e1 sujeta a posibles ataques XSS a trav\u00e9s de una URL mal formada. Esta vulnerabilidad se ha corregido en las versiones 0.28.3 y 0.29.0."
}
],
"id": "CVE-2024-45594",
"lastModified": "2025-02-28T15:52:30.483",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 5.8,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-11-13T17:15:10.333",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-j4h6-gcj7-7v9v"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-10-06 12:15
Modified
2024-11-21 08:09
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L
7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Summary
Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The `templates` module doesn't enforce the correct permissions, allowing any logged-in user to access to this functionality in the administration panel. An attacker could use this vulnerability to change, create or delete templates of surveys. This issue has been patched in version 0.26.8 and 0.27.4.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:decidim:decidim:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "531423A6-A402-4899-A922-076C3AAA055A",
"versionEndExcluding": "0.26.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:decidim:decidim:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "059C1800-67EF-4DC6-903D-0F9043FBEC4F",
"versionEndExcluding": "0.27.4",
"versionStartIncluding": "0.27.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The `templates` module doesn\u0027t enforce the correct permissions, allowing any logged-in user to access to this functionality in the administration panel. An attacker could use this vulnerability to change, create or delete templates of surveys. This issue has been patched in version 0.26.8 and 0.27.4."
},
{
"lang": "es",
"value": "Decidim es un framework de democracia participativa, escrito en Ruby on Rails, desarrollado originalmente para el sitio web de participaci\u00f3n en l\u00ednea y fuera de l\u00ednea del gobierno de la ciudad de Barcelona. El m\u00f3dulo `templates` no aplica los permisos correctos, lo que permite que cualquier usuario que haya iniciado sesi\u00f3n acceda a esta funcionalidad en el panel de administraci\u00f3n. Un atacante podr\u00eda utilizar esta vulnerabilidad para cambiar, crear o eliminar plantillas de encuestas. Este problema se solucion\u00f3 en las versiones 0.26.8 y 0.27.4."
}
],
"id": "CVE-2023-36465",
"lastModified": "2024-11-21T08:09:46.057",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 5.3,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 4.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-10-06T12:15:11.683",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.26.8"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.27.4"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-639h-86hw-qcjq"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.26.8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.27.4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-639h-86hw-qcjq"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-29 01:41
Modified
2025-02-14 17:29
Severity ?
3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Summary
Decidim is a participatory democracy framework. Starting in version 0.10.0 and prior to versions 0.26.9, 0.27.5, and 0.28.0, a race condition in the endorsement of resources (for instance, a proposal) allows a user to make more than once endorsement. To exploit this vulnerability, the request to set an endorsement must be sent several times in parallel. Versions 0.26.9, 0.27.5, and 0.28.0 contain a patch for this issue. As a workaround, disable the Endorsement feature in the components.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:decidim:decidim:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "C8A5D343-1E37-498D-B248-667017D2600D",
"versionEndExcluding": "0.26.9",
"versionStartIncluding": "0.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:decidim:decidim:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "38FDE900-4C89-45E3-821E-BF6F2A69C587",
"versionEndExcluding": "0.27.5",
"versionStartIncluding": "0.27.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Decidim is a participatory democracy framework. Starting in version 0.10.0 and prior to versions 0.26.9, 0.27.5, and 0.28.0, a race condition in the endorsement of resources (for instance, a proposal) allows a user to make more than once endorsement. To exploit this vulnerability, the request to set an endorsement must be sent several times in parallel. Versions 0.26.9, 0.27.5, and 0.28.0 contain a patch for this issue. As a workaround, disable the Endorsement feature in the components. "
},
{
"lang": "es",
"value": "Decidim es un framework de democracia participativa. A partir de la versi\u00f3n 0.10.0 y antes de las versiones 0.26.9, 0.27.5 y 0.28.0, una condici\u00f3n de ejecuci\u00f3n en la aprobaci\u00f3n de recursos (por ejemplo, una propuesta) permite a un usuario realizar m\u00e1s de una aprobaci\u00f3n. Para aprovechar esta vulnerabilidad, la solicitud para establecer un respaldo debe enviarse varias veces en paralelo. Las versiones 0.26.9, 0.27.5 y 0.28.0 contienen un parche para este problema. Como workaround, desactive la funci\u00f3n Respaldo en los componentes."
}
],
"id": "CVE-2023-47634",
"lastModified": "2025-02-14T17:29:55.400",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-29T01:41:28.370",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.26.9"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.27.5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.28.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-r275-j57c-7mf2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.26.9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.27.5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.28.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-r275-j57c-7mf2"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-362"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-362"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-07-11 18:15
Modified
2024-11-21 08:03
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The external link feature is susceptible to cross-site scripting. This allows a remote attacker to execute JavaScript code in the context of a currently logged-in user. An attacker could use this vulnerability to make other users endorse or support proposals they have no intention of supporting or endorsing. The problem was patched in versions 0.27.3 and 0.26.7.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:decidim:decidim:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "ED7C8457-F45C-4727-A1B0-53A12284A2D2",
"versionEndExcluding": "0.26.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:decidim:decidim:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "4D389308-6526-443B-8169-2732F74EFF50",
"versionEndExcluding": "0.27.3",
"versionStartIncluding": "0.27.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The external link feature is susceptible to cross-site scripting. This allows a remote attacker to execute JavaScript code in the context of a currently logged-in user. An attacker could use this vulnerability to make other users endorse or support proposals they have no intention of supporting or endorsing. The problem was patched in versions 0.27.3 and 0.26.7."
}
],
"id": "CVE-2023-32693",
"lastModified": "2024-11-21T08:03:51.917",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-07-11T18:15:14.147",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.26.7"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.27.3"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-469h-mqg8-535r"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.26.7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.27.3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-469h-mqg8-535r"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-07-11 18:15
Modified
2024-11-21 08:06
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The processes filter feature is susceptible to Cross-site scripting. This allows a remote attacker to execute JavaScript code in the context of a currently logged-in user. An attacker could use this vulnerability to make other users endorse or support proposals they have no intention of supporting or endorsing. The problem was patched in version 0.27.3 and 0.26.7.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:decidim:decidim:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "ED7C8457-F45C-4727-A1B0-53A12284A2D2",
"versionEndExcluding": "0.26.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:decidim:decidim:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "4D389308-6526-443B-8169-2732F74EFF50",
"versionEndExcluding": "0.27.3",
"versionStartIncluding": "0.27.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The processes filter feature is susceptible to Cross-site scripting. This allows a remote attacker to execute JavaScript code in the context of a currently logged-in user. An attacker could use this vulnerability to make other users endorse or support proposals they have no intention of supporting or endorsing. The problem was patched in version 0.27.3 and 0.26.7.\n"
}
],
"id": "CVE-2023-34089",
"lastModified": "2024-11-21T08:06:31.187",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-07-11T18:15:16.170",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.26.6"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.27.3"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-5652-92r9-3fx9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.26.6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.27.3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-5652-92r9-3fx9"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-07-10 19:15
Modified
2024-11-21 09:03
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Summary
Decidim is a participatory democracy framework. The admin panel is subject to potential XSS attach in case the attacker manages to modify some records being uploaded to the server. This vulnerability is fixed in 0.27.6 and 0.28.1.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:decidim:decidim:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "F06324EE-53B1-4FAE-8BEF-795C35E4975D",
"versionEndExcluding": "0.27.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:decidim:decidim:0.28.0:-:*:*:*:ruby:*:*",
"matchCriteriaId": "637B8863-0862-4FB4-9871-EDCF21054F34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:decidim:decidim:0.28.0:rc1:*:*:*:ruby:*:*",
"matchCriteriaId": "8B3E98CE-A52C-4965-8549-559A23A38306",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:decidim:decidim:0.28.0:rc2:*:*:*:ruby:*:*",
"matchCriteriaId": "D90343A7-D472-4EE2-91A1-9F173A42BCD0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:decidim:decidim:0.28.0:rc3:*:*:*:ruby:*:*",
"matchCriteriaId": "A7805027-BBE2-48C3-AE74-F8D03A76D00F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:decidim:decidim:0.28.0:rc4:*:*:*:ruby:*:*",
"matchCriteriaId": "178DC9F7-9880-437E-A0BF-CD5A4E6691BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:decidim:decidim:0.28.0:rc5:*:*:*:ruby:*:*",
"matchCriteriaId": "76E8A31B-8F15-4D43-A371-230C4FADDF5F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Decidim is a participatory democracy framework. The admin panel is subject to potential XSS attach in case the attacker manages to modify some records being uploaded to the server. This vulnerability is fixed in 0.27.6 and 0.28.1."
},
{
"lang": "es",
"value": "Decidim es un framework de democracia participativa. El panel de administraci\u00f3n est\u00e1 sujeto a un posible adjunto XSS en caso de que el atacante logre modificar algunos registros que se cargan en el servidor. Esta vulnerabilidad se solucion\u00f3 en 0.27.6 y 0.28.1."
}
],
"id": "CVE-2024-27095",
"lastModified": "2024-11-21T09:03:50.910",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 4.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-07-10T19:15:10.407",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.27.6"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.28.1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-529p-jj47-w3m3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.27.6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.28.1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-529p-jj47-w3m3"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-20 18:15
Modified
2024-12-16 21:46
Severity ?
5.7 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N
7.4 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
7.4 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Summary
Decidim is a participatory democracy framework. Starting in version 0.4.rc3 and prior to version 2.0.9 of the `devise_invitable` gem, the invites feature allows users to accept the invitation for an unlimited amount of time through the password reset functionality. This issue creates vulnerable dependencies starting in version 0.0.1.alpha3 and prior to versions 0.26.9, 0.27.5, and 0.28.0 of the `decidim,` `decidim-admin`, and `decidim-system` gems. When using the password reset functionality, the `devise_invitable` gem always accepts the pending invitation if the user has been invited. The only check done is if the user has been invited but the code does not ensure that the pending invitation is still valid as defined by the `invite_for` expiry period. Decidim sets this configuration to `2.weeks` so this configuration should be respected. The bug is in the `devise_invitable` gem and should be fixed there and the dependency should be upgraded in Decidim once the fix becomes available. `devise_invitable` to version `2.0.9` and above fix this issue. Versions 0.26.9, 0.27.5, and 0.28.0 of the `decidim,` `decidim-admin`, and `decidim-system` gems contain this fix. As a workaround, invitations can be cancelled directly from the database.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| decidim | decidim | * | |
| decidim | decidim | * | |
| decidim | decidim | 0.0.1 | |
| decidim | decidim | 0.0.1 | |
| decidim | decidim | 0.0.1 | |
| decidim | decidim | 0.0.1 | |
| decidim | decidim | 0.0.1 | |
| decidim | decidim | 0.0.1 | |
| decidim | decidim | 0.0.1 | |
| decidim | decidim | 0.0.1 | |
| scambra | devise_invitable | * | |
| scambra | devise_invitable | 0.4.0 | |
| scambra | devise_invitable | 0.4.0 | |
| scambra | devise_invitable | 0.4.0 | |
| scambra | devise_invitable | 0.4.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:decidim:decidim:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "6D1B1016-51D8-4E01-A074-A10CAEC25485",
"versionEndExcluding": "0.26.9",
"versionStartIncluding": "0.0.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:decidim:decidim:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "38FDE900-4C89-45E3-821E-BF6F2A69C587",
"versionEndExcluding": "0.27.5",
"versionStartIncluding": "0.27.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:decidim:decidim:0.0.1:-:*:*:*:ruby:*:*",
"matchCriteriaId": "DE4555F1-EB34-4472-931F-918D00E481F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:decidim:decidim:0.0.1:alpha3:*:*:*:ruby:*:*",
"matchCriteriaId": "31A4E87B-87B1-40B3-B313-44570B5A77F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:decidim:decidim:0.0.1:alpha4:*:*:*:ruby:*:*",
"matchCriteriaId": "F5AA544E-60FB-4D83-934D-FA82E2E51BB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:decidim:decidim:0.0.1:alpha5:*:*:*:ruby:*:*",
"matchCriteriaId": "D74508D4-F213-42D9-8E09-AE9FD6D08598",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:decidim:decidim:0.0.1:alpha6:*:*:*:ruby:*:*",
"matchCriteriaId": "01F34579-CCA4-4F22-AD26-27DD7B0586A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:decidim:decidim:0.0.1:alpha7:*:*:*:ruby:*:*",
"matchCriteriaId": "7BBA5EB0-C175-4AAA-89CC-EC964C05A7A4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:decidim:decidim:0.0.1:alpha8:*:*:*:ruby:*:*",
"matchCriteriaId": "1BF30DCF-EC5F-4411-A124-69EB5A06AFCE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:decidim:decidim:0.0.1:alpha9:*:*:*:ruby:*:*",
"matchCriteriaId": "A5DC0B15-23BF-4305-A018-1E56C1F32BB2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:scambra:devise_invitable:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "F9EB2E96-5C9B-4483-9185-76CEABC1C661",
"versionEndExcluding": "2.0.9",
"versionStartIncluding": "0.4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:scambra:devise_invitable:0.4.0:-:*:*:*:ruby:*:*",
"matchCriteriaId": "7DF8801D-7388-4480-BB49-18205160FA6F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:scambra:devise_invitable:0.4.0:rc3:*:*:*:ruby:*:*",
"matchCriteriaId": "7A4594E1-64CB-4404-9C87-9759A657E18B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:scambra:devise_invitable:0.4.0:rc4:*:*:*:ruby:*:*",
"matchCriteriaId": "27BB4517-6C0E-4426-9EAC-D702AF00718E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:scambra:devise_invitable:0.4.0:rc5:*:*:*:ruby:*:*",
"matchCriteriaId": "D0D4559B-7949-4339-B7DD-BEA7EE98320B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Decidim is a participatory democracy framework. Starting in version 0.4.rc3 and prior to version 2.0.9 of the `devise_invitable` gem, the invites feature allows users to accept the invitation for an unlimited amount of time through the password reset functionality. This issue creates vulnerable dependencies starting in version 0.0.1.alpha3 and prior to versions 0.26.9, 0.27.5, and 0.28.0 of the `decidim,` `decidim-admin`, and `decidim-system` gems. When using the password reset functionality, the `devise_invitable` gem always accepts the pending invitation if the user has been invited. The only check done is if the user has been invited but the code does not ensure that the pending invitation is still valid as defined by the `invite_for` expiry period. Decidim sets this configuration to `2.weeks` so this configuration should be respected. The bug is in the `devise_invitable` gem and should be fixed there and the dependency should be upgraded in Decidim once the fix becomes available. `devise_invitable` to version `2.0.9` and above fix this issue. Versions 0.26.9, 0.27.5, and 0.28.0 of the `decidim,` `decidim-admin`, and `decidim-system` gems contain this fix. As a workaround, invitations can be cancelled directly from the database."
},
{
"lang": "es",
"value": "Decidim es un framework de democracia participativa. A partir de la versi\u00f3n 0.4.rc3 y antes de la versi\u00f3n 2.0.9 de la gema `devise_invitable`, la funci\u00f3n de invitaciones permite a los usuarios aceptar la invitaci\u00f3n por un per\u00edodo de tiempo ilimitado a trav\u00e9s de la funci\u00f3n de restablecimiento de contrase\u00f1a. Este problema crea dependencias vulnerables a partir de la versi\u00f3n 0.0.1.alpha3 y anteriores a las versiones 0.26.9, 0.27.5 y 0.28.0 de las gemas `decidim`, `decidim-admin` y `decidim-system`. Cuando se utiliza la funci\u00f3n de restablecimiento de contrase\u00f1a, la gema `devise_invitable` siempre acepta la invitaci\u00f3n pendiente si el usuario ha sido invitado. La \u00fanica verificaci\u00f3n realizada es si el usuario ha sido invitado pero el c\u00f3digo no garantiza que la invitaci\u00f3n pendiente siga siendo v\u00e1lida seg\u00fan lo definido por el per\u00edodo de vencimiento de `invite_for`. Decidim establece esta configuraci\u00f3n en `2.weeks` por lo que se debe respetar esta configuraci\u00f3n. El error est\u00e1 en la gema `devise_invitable` y deber\u00eda solucionarse all\u00ed y la dependencia deber\u00eda actualizarse en Decidim una vez que la soluci\u00f3n est\u00e9 disponible. `devise_invitable` a la versi\u00f3n `2.0.9` y superiores solucionan este problema. Las versiones 0.26.9, 0.27.5 y 0.28.0 de las gemas `decidim`, `decidim-admin` y `decidim-system` contienen esta soluci\u00f3n. Como workaround, las invitaciones se pueden cancelar directamente desde la base de datos."
}
],
"id": "CVE-2023-48220",
"lastModified": "2024-12-16T21:46:47.680",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.5,
"impactScore": 5.2,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-20T18:15:50.350",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://github.com/decidim/decidim/blob/d2d390578050772d1bdb6d731395f1afc39dcbfc/decidim-core/config/initializers/devise.rb#L134"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/decidim/decidim/commit/073e60e2e4224dd81815a784002ebba30f2ebb34"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/decidim/decidim/commit/b12800717a689c295a9ea680a38ca9f823d2c454"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.26.9"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.27.5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.28.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-w3q8-m492-4pwp"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://github.com/scambra/devise_invitable/blob/41f58970ff76fb64382a9b9ea1bd530f7c3adab2/lib/devise_invitable/models.rb#L198"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/scambra/devise_invitable/commit/94d859c7de0829bf63f679ae5dd3cab2b866a098"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://github.com/decidim/decidim/blob/d2d390578050772d1bdb6d731395f1afc39dcbfc/decidim-core/config/initializers/devise.rb#L134"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/decidim/decidim/commit/073e60e2e4224dd81815a784002ebba30f2ebb34"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/decidim/decidim/commit/b12800717a689c295a9ea680a38ca9f823d2c454"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.26.9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.27.5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.28.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-w3q8-m492-4pwp"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://github.com/scambra/devise_invitable/blob/41f58970ff76fb64382a9b9ea1bd530f7c3adab2/lib/devise_invitable/models.rb#L198"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/scambra/devise_invitable/commit/94d859c7de0829bf63f679ae5dd3cab2b866a098"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-672"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-672"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-09-16 19:16
Modified
2024-09-29 00:14
Severity ?
6.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Summary
decidim is a Free Open-Source participatory democracy, citizen participation and open government for cities and organizations. The admin panel is subject to potential Cross-site scripting (XSS) attach in case an admin assigns a valuator to a proposal, or does any other action that generates an admin activity log where one of the resources has an XSS crafted. This issue has been addressed in release version 0.27.7, 0.28.2, and newer. Users are advised to upgrade. Users unable to upgrade may redirect the pages /admin and /admin/logs to other admin pages to prevent this access (i.e. `/admin/organization/edit`).
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:decidim:decidim:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "6C6546E7-9340-4C15-BEF9-9075508E1C35",
"versionEndExcluding": "0.27.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:decidim:decidim:0.28.0:-:*:*:*:ruby:*:*",
"matchCriteriaId": "637B8863-0862-4FB4-9871-EDCF21054F34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:decidim:decidim:0.28.1:*:*:*:*:ruby:*:*",
"matchCriteriaId": "45B74421-A9CA-4C0F-86ED-A6AAB5FCF7F7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "decidim is a Free Open-Source participatory democracy, citizen participation and open government for cities and organizations. The admin panel is subject to potential Cross-site scripting (XSS) attach in case an admin assigns a valuator to a proposal, or does any other action that generates an admin activity log where one of the resources has an XSS crafted. This issue has been addressed in release version 0.27.7, 0.28.2, and newer. Users are advised to upgrade. Users unable to upgrade may redirect the pages /admin and /admin/logs to other admin pages to prevent this access (i.e. `/admin/organization/edit`)."
},
{
"lang": "es",
"value": "Decidim es una democracia participativa, participaci\u00f3n ciudadana y gobierno abierto de c\u00f3digo abierto y gratuito para ciudades y organizaciones. El panel de administraci\u00f3n est\u00e1 sujeto a posibles ataques de cross site scripting (XSS) en caso de que un administrador asigne un evaluador a una propuesta o realice cualquier otra acci\u00f3n que genere un registro de actividad de administraci\u00f3n donde uno de los recursos tenga un XSS creado. Este problema se ha solucionado en las versiones de lanzamiento 0.27.7, 0.28.2 y posteriores. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar pueden redirigir las p\u00e1ginas /admin y /admin/logs a otras p\u00e1ginas de administraci\u00f3n para evitar este acceso (es decir, `/admin/organization/edit`)."
}
],
"id": "CVE-2024-32034",
"lastModified": "2024-09-29T00:14:35.067",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 4.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-09-16T19:16:10.300",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/decidim/decidim/commit/23fc8d702a4976727f78617f5e42353d67931645"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/decidim/decidim/commit/9d79f09a2d38c87feb28725670d6cc1f55c22072"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/decidim/decidim/commit/e494235d559be13dd1f8694345e6f6bba762d1c0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/decidim/decidim/commit/ff755e23814aeb56e9089fc08006a5d3faee47b6"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-rx9f-5ggv-5rh6"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-20 18:15
Modified
2024-12-16 21:28
Severity ?
4.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
5.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
5.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Summary
Decidim is a participatory democracy framework. Starting in version 0.23.0 and prior to versions 0.27.5 and 0.28.0, the CSRF authenticity token check is disabled for the questionnaire templates preview. The issue does not imply a serious security thread as you need to have access also to the session cookie in order to see this resource. This URL does not allow modifying the resource but it may allow attackers to gain access to information which was not meant to be public. The issue is fixed in version 0.27.5 and 0.28.0. As a workaround, disable the templates functionality or remove all available templates.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:decidim:decidim:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "D462F3FF-794C-4605-A9F4-FBB97A7F9FD1",
"versionEndExcluding": "0.27.5",
"versionStartIncluding": "0.23.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Decidim is a participatory democracy framework. Starting in version 0.23.0 and prior to versions 0.27.5 and 0.28.0, the CSRF authenticity token check is disabled for the questionnaire templates preview. The issue does not imply a serious security thread as you need to have access also to the session cookie in order to see this resource. This URL does not allow modifying the resource but it may allow attackers to gain access to information which was not meant to be public. The issue is fixed in version 0.27.5 and 0.28.0. As a workaround, disable the templates functionality or remove all available templates."
},
{
"lang": "es",
"value": "Decidim es un framework de democracia participativa. A partir de la versi\u00f3n 0.23.0 y anteriores a las versiones 0.27.5 y 0.28.0, la verificaci\u00f3n del token de autenticidad CSRF est\u00e1 deshabilitada para la vista previa de las plantillas de cuestionario. El problema no implica un problema de seguridad grave, ya que tambi\u00e9n es necesario tener acceso a la cookie de sesi\u00f3n para poder ver este recurso. Esta URL no permite modificar el recurso, pero puede permitir a los atacantes obtener acceso a informaci\u00f3n que no estaba destinada a ser p\u00fablica. El problema se solucion\u00f3 en las versiones 0.27.5 y 0.28.0. Como workaround, desactive la funcionalidad de plantillas o elimine todas las plantillas disponibles."
}
],
"id": "CVE-2023-47635",
"lastModified": "2024-12-16T21:28:47.970",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-20T18:15:50.147",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://github.com/decidim/decidim/blob/3187bdfd40ea1c57c2c12512b09a7fec0b2bed08/decidim-templates/app/controllers/decidim/templates/admin/questionnaire_templates_controller.rb#L11"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/decidim/decidim/commit/5542227be66e3b6d7530f5b536069bce09376660"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/decidim/decidim/commit/57a4b467787448307b5d9b01ce6e2c8502e121ac"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/decidim/decidim/pull/11743"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/decidim/decidim/pull/6247"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.27.5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.28.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-f3qm-vfc3-jg6v"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://github.com/decidim/decidim/blob/3187bdfd40ea1c57c2c12512b09a7fec0b2bed08/decidim-templates/app/controllers/decidim/templates/admin/questionnaire_templates_controller.rb#L11"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/decidim/decidim/commit/5542227be66e3b6d7530f5b536069bce09376660"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/decidim/decidim/commit/57a4b467787448307b5d9b01ce6e2c8502e121ac"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/decidim/decidim/pull/11743"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/decidim/decidim/pull/6247"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.27.5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.28.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-f3qm-vfc3-jg6v"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-09-16 19:16
Modified
2024-09-29 00:33
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Summary
decidim is a Free Open-Source participatory democracy, citizen participation and open government for cities and organizations. The WYSWYG editor QuillJS is subject to potential XSS attach in case the attacker manages to modify the HTML before being uploaded to the server. The attacker is able to change e.g. to <svg onload=alert('XSS')> if they know how to craft these requests themselves. This issue has been addressed in release version 0.27.7. All users are advised to upgrade. Users unable to upgrade should review the user accounts that have access to the admin panel (i.e. general Administrators, and participatory space's Administrators) and remove access to them if they don't need it. Disable the "Enable rich text editor for participants" setting in the admin dashboard
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:decidim:decidim:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "6C6546E7-9340-4C15-BEF9-9075508E1C35",
"versionEndExcluding": "0.27.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "decidim is a Free Open-Source participatory democracy, citizen participation and open government for cities and organizations. The WYSWYG editor QuillJS is subject to potential XSS attach in case the attacker manages to modify the HTML before being uploaded to the server. The attacker is able to change e.g. to \u003csvg onload=alert(\u0027XSS\u0027)\u003e if they know how to craft these requests themselves. This issue has been addressed in release version 0.27.7. All users are advised to upgrade. Users unable to upgrade should review the user accounts that have access to the admin panel (i.e. general Administrators, and participatory space\u0027s Administrators) and remove access to them if they don\u0027t need it. Disable the \"Enable rich text editor for participants\" setting in the admin dashboard"
},
{
"lang": "es",
"value": "Decidim es una democracia participativa, participaci\u00f3n ciudadana y gobierno abierto de c\u00f3digo abierto y gratuito para ciudades y organizaciones. El editor WYSWYG QuillJS est\u00e1 sujeto a posibles ataques XSS en caso de que el atacante logre modificar el HTML antes de subirlo al servidor. El atacante puede cambiar, por ejemplo, a si sabe c\u00f3mo crear estas solicitudes por s\u00ed mismo. Este problema se ha solucionado en la versi\u00f3n 0.27.7. Se recomienda a todos los usuarios que actualicen. Los usuarios que no puedan actualizar deben revisar las cuentas de usuario que tienen acceso al panel de administraci\u00f3n (es decir, administradores generales y administradores del espacio participativo) y eliminar el acceso a ellas si no lo necesitan. Desactive la opci\u00f3n \"Habilitar editor de texto enriquecido para participantes\" en el panel de administraci\u00f3n"
}
],
"id": "CVE-2024-39910",
"lastModified": "2024-09-29T00:33:03.740",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 4.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-09-16T19:16:10.540",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/decidim/decidim/commit/47adca81cabea898005ec07b130b008f2a2be99f"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-vvqw-fqwx-mqmm"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-20 18:15
Modified
2024-12-16 22:43
Severity ?
6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Decidim is a participatory democracy framework. Starting in version 0.27.0 and prior to versions 0.27.5 and 0.28.0, the dynamic file upload feature is subject to potential cross-site scripting attacks in case the attacker manages to modify the file names of the records being uploaded to the server. This appears in sections where the user controls the file upload dialogs themselves and has the technical knowledge to change the file names through the dynamic upload endpoint. Therefore I believe it would require the attacker to control the whole session of the particular user but in any case, this needs to be fixed. Successful exploit of this vulnerability would require the user to have successfully uploaded a file blob to the server with a malicious file name and then have the possibility to direct the other user to the edit page of the record where the attachment is attached. The users are able to craft the direct upload requests themselves controlling the file name that gets stored to the database. The attacker is able to change the filename e.g. to `<svg onload=alert('XSS')>` if they know how to craft these requests themselves. And then enter the returned blob ID to the form inputs manually by modifying the edit page source. Versions 0.27.5 and 0.28.0 contain a patch for this issue. As a workaround, disable dynamic uploads for the instance, e.g. from proposals.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:decidim:decidim:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "38FDE900-4C89-45E3-821E-BF6F2A69C587",
"versionEndExcluding": "0.27.5",
"versionStartIncluding": "0.27.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Decidim is a participatory democracy framework. Starting in version 0.27.0 and prior to versions 0.27.5 and 0.28.0, the dynamic file upload feature is subject to potential cross-site scripting attacks in case the attacker manages to modify the file names of the records being uploaded to the server. This appears in sections where the user controls the file upload dialogs themselves and has the technical knowledge to change the file names through the dynamic upload endpoint. Therefore I believe it would require the attacker to control the whole session of the particular user but in any case, this needs to be fixed. Successful exploit of this vulnerability would require the user to have successfully uploaded a file blob to the server with a malicious file name and then have the possibility to direct the other user to the edit page of the record where the attachment is attached. The users are able to craft the direct upload requests themselves controlling the file name that gets stored to the database. The attacker is able to change the filename e.g. to `\u003csvg onload=alert(\u0027XSS\u0027)\u003e` if they know how to craft these requests themselves. And then enter the returned blob ID to the form inputs manually by modifying the edit page source. Versions 0.27.5 and 0.28.0 contain a patch for this issue. As a workaround, disable dynamic uploads for the instance, e.g. from proposals."
},
{
"lang": "es",
"value": "Decidim es un framework de democracia participativa. A partir de la versi\u00f3n 0.27.0 y antes de las versiones 0.27.5 y 0.28.0, la funci\u00f3n de carga din\u00e1mica de archivos est\u00e1 sujeta a posibles ataques de Cross-site scripting en caso de que el atacante logre modificar los nombres de los archivos de los registros que se cargan en el servidor. Esto aparece en secciones donde el usuario controla los cuadros de di\u00e1logo de carga de archivos y tiene el conocimiento t\u00e9cnico para cambiar los nombres de los archivos a trav\u00e9s del endpoint de carga din\u00e1mica. Por lo tanto, creo que requerir\u00eda que el atacante controlara toda la sesi\u00f3n del usuario en particular, pero en cualquier caso, esto debe solucionarse. La explotaci\u00f3n exitosa de esta vulnerabilidad requerir\u00eda que el usuario haya subido exitosamente un blob de archivos al servidor con un nombre de archivo malicioso y luego tenga la posibilidad de dirigir al otro usuario a la p\u00e1gina de edici\u00f3n del registro donde se adjunta el archivo adjunto. Los usuarios pueden crear ellos mismos las solicitudes de carga directa controlando el nombre del archivo que se almacena en la base de datos. El atacante puede cambiar el nombre del archivo, por ejemplo, a `` si sabe c\u00f3mo elaborar estas solicitudes por s\u00ed mismo. Y luego ingrese el ID del blob devuelto en las entradas del formulario manualmente modificando la fuente de la p\u00e1gina de edici\u00f3n. Las versiones 0.27.5 y 0.28.0 contienen un parche para este problema. Como workaround, deshabilite las cargas din\u00e1micas para la instancia, por ejemplo, desde propuestas."
}
],
"id": "CVE-2023-51447",
"lastModified": "2024-12-16T22:43:27.217",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 4.2,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-20T18:15:50.547",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/decidim/decidim/commit/aaf72787cf18beeeb6a771c1f7cbb7654b073423"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/decidim/decidim/pull/11612"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.27.5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.28.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-9w99-78rj-hmxq"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://github.com/rails/rails/blob/a967d355c6fee9ad9b8bd115d43bc8b0fc207e7e/activestorage/app/controllers/active_storage/direct_uploads_controller.rb#L14"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/decidim/decidim/commit/aaf72787cf18beeeb6a771c1f7cbb7654b073423"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/decidim/decidim/pull/11612"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.27.5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.28.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-9w99-78rj-hmxq"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://github.com/rails/rails/blob/a967d355c6fee9ad9b8bd115d43bc8b0fc207e7e/activestorage/app/controllers/active_storage/direct_uploads_controller.rb#L14"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2023-48220 (GCVE-0-2023-48220)
Vulnerability from cvelistv5
Published
2024-02-20 17:24
Modified
2025-04-24 15:04
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-672 - Operation on a Resource after Expiration or Release
Summary
Decidim is a participatory democracy framework. Starting in version 0.4.rc3 and prior to version 2.0.9 of the `devise_invitable` gem, the invites feature allows users to accept the invitation for an unlimited amount of time through the password reset functionality. This issue creates vulnerable dependencies starting in version 0.0.1.alpha3 and prior to versions 0.26.9, 0.27.5, and 0.28.0 of the `decidim,` `decidim-admin`, and `decidim-system` gems. When using the password reset functionality, the `devise_invitable` gem always accepts the pending invitation if the user has been invited. The only check done is if the user has been invited but the code does not ensure that the pending invitation is still valid as defined by the `invite_for` expiry period. Decidim sets this configuration to `2.weeks` so this configuration should be respected. The bug is in the `devise_invitable` gem and should be fixed there and the dependency should be upgraded in Decidim once the fix becomes available. `devise_invitable` to version `2.0.9` and above fix this issue. Versions 0.26.9, 0.27.5, and 0.28.0 of the `decidim,` `decidim-admin`, and `decidim-system` gems contain this fix. As a workaround, invitations can be cancelled directly from the database.
References
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:decidim:decidim:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "decidim",
"vendor": "decidim",
"versions": [
{
"lessThan": "0.26.9",
"status": "affected",
"version": "0.0.1.alpha3",
"versionType": "custom"
},
{
"lessThan": "0.27.5",
"status": "affected",
"version": "0.27.0",
"versionType": "custom"
},
{
"lessThan": "2.0.9",
"status": "affected",
"version": "0.4.rc3",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-48220",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-21T15:23:30.053194Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-24T15:04:40.243Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:23:39.264Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/decidim/decidim/security/advisories/GHSA-w3q8-m492-4pwp",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-w3q8-m492-4pwp"
},
{
"name": "https://github.com/decidim/decidim/commit/073e60e2e4224dd81815a784002ebba30f2ebb34",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/commit/073e60e2e4224dd81815a784002ebba30f2ebb34"
},
{
"name": "https://github.com/decidim/decidim/commit/b12800717a689c295a9ea680a38ca9f823d2c454",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/commit/b12800717a689c295a9ea680a38ca9f823d2c454"
},
{
"name": "https://github.com/scambra/devise_invitable/commit/94d859c7de0829bf63f679ae5dd3cab2b866a098",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/scambra/devise_invitable/commit/94d859c7de0829bf63f679ae5dd3cab2b866a098"
},
{
"name": "https://github.com/decidim/decidim/blob/d2d390578050772d1bdb6d731395f1afc39dcbfc/decidim-core/config/initializers/devise.rb#L134",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/blob/d2d390578050772d1bdb6d731395f1afc39dcbfc/decidim-core/config/initializers/devise.rb#L134"
},
{
"name": "https://github.com/decidim/decidim/releases/tag/v0.26.9",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.26.9"
},
{
"name": "https://github.com/decidim/decidim/releases/tag/v0.27.5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.27.5"
},
{
"name": "https://github.com/decidim/decidim/releases/tag/v0.28.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.28.0"
},
{
"name": "https://github.com/scambra/devise_invitable/blob/41f58970ff76fb64382a9b9ea1bd530f7c3adab2/lib/devise_invitable/models.rb#L198",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/scambra/devise_invitable/blob/41f58970ff76fb64382a9b9ea1bd530f7c3adab2/lib/devise_invitable/models.rb#L198"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "decidim",
"vendor": "decidim",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.0.1.alpha3, \u003c 0.26.9"
},
{
"status": "affected",
"version": "\u003e= 0.27.0, \u003c 0.27.5"
},
{
"status": "affected",
"version": " \u003e= 0.4.rc3, \u003c 2.0.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Decidim is a participatory democracy framework. Starting in version 0.4.rc3 and prior to version 2.0.9 of the `devise_invitable` gem, the invites feature allows users to accept the invitation for an unlimited amount of time through the password reset functionality. This issue creates vulnerable dependencies starting in version 0.0.1.alpha3 and prior to versions 0.26.9, 0.27.5, and 0.28.0 of the `decidim,` `decidim-admin`, and `decidim-system` gems. When using the password reset functionality, the `devise_invitable` gem always accepts the pending invitation if the user has been invited. The only check done is if the user has been invited but the code does not ensure that the pending invitation is still valid as defined by the `invite_for` expiry period. Decidim sets this configuration to `2.weeks` so this configuration should be respected. The bug is in the `devise_invitable` gem and should be fixed there and the dependency should be upgraded in Decidim once the fix becomes available. `devise_invitable` to version `2.0.9` and above fix this issue. Versions 0.26.9, 0.27.5, and 0.28.0 of the `decidim,` `decidim-admin`, and `decidim-system` gems contain this fix. As a workaround, invitations can be cancelled directly from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-672",
"description": "CWE-672: Operation on a Resource after Expiration or Release",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-20T17:27:26.335Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/decidim/decidim/security/advisories/GHSA-w3q8-m492-4pwp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-w3q8-m492-4pwp"
},
{
"name": "https://github.com/decidim/decidim/commit/073e60e2e4224dd81815a784002ebba30f2ebb34",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decidim/decidim/commit/073e60e2e4224dd81815a784002ebba30f2ebb34"
},
{
"name": "https://github.com/decidim/decidim/commit/b12800717a689c295a9ea680a38ca9f823d2c454",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decidim/decidim/commit/b12800717a689c295a9ea680a38ca9f823d2c454"
},
{
"name": "https://github.com/scambra/devise_invitable/commit/94d859c7de0829bf63f679ae5dd3cab2b866a098",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/scambra/devise_invitable/commit/94d859c7de0829bf63f679ae5dd3cab2b866a098"
},
{
"name": "https://github.com/decidim/decidim/blob/d2d390578050772d1bdb6d731395f1afc39dcbfc/decidim-core/config/initializers/devise.rb#L134",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decidim/decidim/blob/d2d390578050772d1bdb6d731395f1afc39dcbfc/decidim-core/config/initializers/devise.rb#L134"
},
{
"name": "https://github.com/decidim/decidim/releases/tag/v0.26.9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.26.9"
},
{
"name": "https://github.com/decidim/decidim/releases/tag/v0.27.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.27.5"
},
{
"name": "https://github.com/decidim/decidim/releases/tag/v0.28.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.28.0"
},
{
"name": "https://github.com/scambra/devise_invitable/blob/41f58970ff76fb64382a9b9ea1bd530f7c3adab2/lib/devise_invitable/models.rb#L198",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/scambra/devise_invitable/blob/41f58970ff76fb64382a9b9ea1bd530f7c3adab2/lib/devise_invitable/models.rb#L198"
}
],
"source": {
"advisory": "GHSA-w3q8-m492-4pwp",
"discovery": "UNKNOWN"
},
"title": "Decidim\u0027s devise_invitable gem vulnerable to circumvention of invitation token expiry period"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-48220",
"datePublished": "2024-02-20T17:24:37.791Z",
"dateReserved": "2023-11-13T13:25:18.480Z",
"dateUpdated": "2025-04-24T15:04:40.243Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-39910 (GCVE-0-2024-39910)
Vulnerability from cvelistv5
Published
2024-09-16 18:38
Modified
2024-09-16 19:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
decidim is a Free Open-Source participatory democracy, citizen participation and open government for cities and organizations. The WYSWYG editor QuillJS is subject to potential XSS attach in case the attacker manages to modify the HTML before being uploaded to the server. The attacker is able to change e.g. to <svg onload=alert('XSS')> if they know how to craft these requests themselves. This issue has been addressed in release version 0.27.7. All users are advised to upgrade. Users unable to upgrade should review the user accounts that have access to the admin panel (i.e. general Administrators, and participatory space's Administrators) and remove access to them if they don't need it. Disable the "Enable rich text editor for participants" setting in the admin dashboard
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/decidim/decidim/security/advisories/GHSA-vvqw-fqwx-mqmm | x_refsource_CONFIRM | |
| https://github.com/decidim/decidim/commit/47adca81cabea898005ec07b130b008f2a2be99f | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39910",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-16T19:57:51.999340Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-16T19:58:06.959Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "decidim",
"vendor": "decidim",
"versions": [
{
"status": "affected",
"version": "\u003c 0.27.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "decidim is a Free Open-Source participatory democracy, citizen participation and open government for cities and organizations. The WYSWYG editor QuillJS is subject to potential XSS attach in case the attacker manages to modify the HTML before being uploaded to the server. The attacker is able to change e.g. to \u003csvg onload=alert(\u0027XSS\u0027)\u003e if they know how to craft these requests themselves. This issue has been addressed in release version 0.27.7. All users are advised to upgrade. Users unable to upgrade should review the user accounts that have access to the admin panel (i.e. general Administrators, and participatory space\u0027s Administrators) and remove access to them if they don\u0027t need it. Disable the \"Enable rich text editor for participants\" setting in the admin dashboard"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-16T18:38:11.423Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/decidim/decidim/security/advisories/GHSA-vvqw-fqwx-mqmm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-vvqw-fqwx-mqmm"
},
{
"name": "https://github.com/decidim/decidim/commit/47adca81cabea898005ec07b130b008f2a2be99f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decidim/decidim/commit/47adca81cabea898005ec07b130b008f2a2be99f"
}
],
"source": {
"advisory": "GHSA-vvqw-fqwx-mqmm",
"discovery": "UNKNOWN"
},
"title": "Cross-site scripting (XSS) in the decidim admin panel with QuillJS WYSWYG editor"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-39910",
"datePublished": "2024-09-16T18:38:11.423Z",
"dateReserved": "2024-07-02T19:37:18.601Z",
"dateUpdated": "2024-09-16T19:58:06.959Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-32034 (GCVE-0-2024-32034)
Vulnerability from cvelistv5
Published
2024-09-16 18:38
Modified
2024-09-16 20:00
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
decidim is a Free Open-Source participatory democracy, citizen participation and open government for cities and organizations. The admin panel is subject to potential Cross-site scripting (XSS) attach in case an admin assigns a valuator to a proposal, or does any other action that generates an admin activity log where one of the resources has an XSS crafted. This issue has been addressed in release version 0.27.7, 0.28.2, and newer. Users are advised to upgrade. Users unable to upgrade may redirect the pages /admin and /admin/logs to other admin pages to prevent this access (i.e. `/admin/organization/edit`).
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32034",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-16T19:59:49.091452Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-16T20:00:04.199Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "decidim",
"vendor": "decidim",
"versions": [
{
"status": "affected",
"version": "\u003c 0.27.7"
},
{
"status": "affected",
"version": "\u003e= 0.28.0, \u003c 0.28.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "decidim is a Free Open-Source participatory democracy, citizen participation and open government for cities and organizations. The admin panel is subject to potential Cross-site scripting (XSS) attach in case an admin assigns a valuator to a proposal, or does any other action that generates an admin activity log where one of the resources has an XSS crafted. This issue has been addressed in release version 0.27.7, 0.28.2, and newer. Users are advised to upgrade. Users unable to upgrade may redirect the pages /admin and /admin/logs to other admin pages to prevent this access (i.e. `/admin/organization/edit`)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-16T18:38:09.562Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/decidim/decidim/security/advisories/GHSA-rx9f-5ggv-5rh6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-rx9f-5ggv-5rh6"
},
{
"name": "https://github.com/decidim/decidim/commit/23fc8d702a4976727f78617f5e42353d67931645",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decidim/decidim/commit/23fc8d702a4976727f78617f5e42353d67931645"
},
{
"name": "https://github.com/decidim/decidim/commit/9d79f09a2d38c87feb28725670d6cc1f55c22072",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decidim/decidim/commit/9d79f09a2d38c87feb28725670d6cc1f55c22072"
},
{
"name": "https://github.com/decidim/decidim/commit/e494235d559be13dd1f8694345e6f6bba762d1c0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decidim/decidim/commit/e494235d559be13dd1f8694345e6f6bba762d1c0"
},
{
"name": "https://github.com/decidim/decidim/commit/ff755e23814aeb56e9089fc08006a5d3faee47b6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decidim/decidim/commit/ff755e23814aeb56e9089fc08006a5d3faee47b6"
}
],
"source": {
"advisory": "GHSA-rx9f-5ggv-5rh6",
"discovery": "UNKNOWN"
},
"title": "Cross-site scripting (XSS) in the decidim admin activity log"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-32034",
"datePublished": "2024-09-16T18:38:09.562Z",
"dateReserved": "2024-04-09T15:29:35.939Z",
"dateUpdated": "2024-09-16T20:00:04.199Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-34089 (GCVE-0-2023-34089)
Vulnerability from cvelistv5
Published
2023-07-11 17:36
Modified
2024-11-04 19:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The processes filter feature is susceptible to Cross-site scripting. This allows a remote attacker to execute JavaScript code in the context of a currently logged-in user. An attacker could use this vulnerability to make other users endorse or support proposals they have no intention of supporting or endorsing. The problem was patched in version 0.27.3 and 0.26.7.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/decidim/decidim/security/advisories/GHSA-5652-92r9-3fx9 | x_refsource_CONFIRM | |
| https://github.com/decidim/decidim/releases/tag/v0.26.6 | x_refsource_MISC | |
| https://github.com/decidim/decidim/releases/tag/v0.27.3 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:01:53.706Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/decidim/decidim/security/advisories/GHSA-5652-92r9-3fx9",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-5652-92r9-3fx9"
},
{
"name": "https://github.com/decidim/decidim/releases/tag/v0.26.6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.26.6"
},
{
"name": "https://github.com/decidim/decidim/releases/tag/v0.27.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.27.3"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:decidim:decidim:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "decidim",
"vendor": "decidim",
"versions": [
{
"lessThan": "0.26.7",
"status": "affected",
"version": "0.14.0",
"versionType": "custom"
},
{
"lessThan": "0.27.3",
"status": "affected",
"version": "0.27.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-34089",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-04T19:43:06.293337Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-04T19:55:37.787Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "decidim",
"vendor": "decidim",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.14.0, \u003c 0.26.7"
},
{
"status": "affected",
"version": "\u003e= 0.27.0, \u003c 0.27.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The processes filter feature is susceptible to Cross-site scripting. This allows a remote attacker to execute JavaScript code in the context of a currently logged-in user. An attacker could use this vulnerability to make other users endorse or support proposals they have no intention of supporting or endorsing. The problem was patched in version 0.27.3 and 0.26.7.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-19T20:52:42.091Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/decidim/decidim/security/advisories/GHSA-5652-92r9-3fx9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-5652-92r9-3fx9"
},
{
"name": "https://github.com/decidim/decidim/releases/tag/v0.26.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.26.6"
},
{
"name": "https://github.com/decidim/decidim/releases/tag/v0.27.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.27.3"
}
],
"source": {
"advisory": "GHSA-5652-92r9-3fx9",
"discovery": "UNKNOWN"
},
"title": "Decidim Cross-site Scripting vulnerability in the processes filter"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-34089",
"datePublished": "2023-07-11T17:36:14.670Z",
"dateReserved": "2023-05-25T21:56:51.244Z",
"dateUpdated": "2024-11-04T19:55:37.787Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-47635 (GCVE-0-2023-47635)
Vulnerability from cvelistv5
Published
2024-02-20 16:45
Modified
2024-08-22 13:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Summary
Decidim is a participatory democracy framework. Starting in version 0.23.0 and prior to versions 0.27.5 and 0.28.0, the CSRF authenticity token check is disabled for the questionnaire templates preview. The issue does not imply a serious security thread as you need to have access also to the session cookie in order to see this resource. This URL does not allow modifying the resource but it may allow attackers to gain access to information which was not meant to be public. The issue is fixed in version 0.27.5 and 0.28.0. As a workaround, disable the templates functionality or remove all available templates.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:16:42.655Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/decidim/decidim/security/advisories/GHSA-f3qm-vfc3-jg6v",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-f3qm-vfc3-jg6v"
},
{
"name": "https://github.com/decidim/decidim/pull/11743",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/pull/11743"
},
{
"name": "https://github.com/decidim/decidim/pull/6247",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/pull/6247"
},
{
"name": "https://github.com/decidim/decidim/commit/5542227be66e3b6d7530f5b536069bce09376660",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/commit/5542227be66e3b6d7530f5b536069bce09376660"
},
{
"name": "https://github.com/decidim/decidim/commit/57a4b467787448307b5d9b01ce6e2c8502e121ac",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/commit/57a4b467787448307b5d9b01ce6e2c8502e121ac"
},
{
"name": "https://github.com/decidim/decidim/blob/3187bdfd40ea1c57c2c12512b09a7fec0b2bed08/decidim-templates/app/controllers/decidim/templates/admin/questionnaire_templates_controller.rb#L11",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/blob/3187bdfd40ea1c57c2c12512b09a7fec0b2bed08/decidim-templates/app/controllers/decidim/templates/admin/questionnaire_templates_controller.rb#L11"
},
{
"name": "https://github.com/decidim/decidim/releases/tag/v0.27.5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.27.5"
},
{
"name": "https://github.com/decidim/decidim/releases/tag/v0.28.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.28.0"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:decidim:decidim:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "decidim",
"vendor": "decidim",
"versions": [
{
"lessThan": "0.27.5",
"status": "affected",
"version": "0.23.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-47635",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-22T13:23:33.057811Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T13:25:39.658Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "decidim",
"vendor": "decidim",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.23.0, \u003c 0.27.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Decidim is a participatory democracy framework. Starting in version 0.23.0 and prior to versions 0.27.5 and 0.28.0, the CSRF authenticity token check is disabled for the questionnaire templates preview. The issue does not imply a serious security thread as you need to have access also to the session cookie in order to see this resource. This URL does not allow modifying the resource but it may allow attackers to gain access to information which was not meant to be public. The issue is fixed in version 0.27.5 and 0.28.0. As a workaround, disable the templates functionality or remove all available templates."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-20T17:26:38.896Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/decidim/decidim/security/advisories/GHSA-f3qm-vfc3-jg6v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-f3qm-vfc3-jg6v"
},
{
"name": "https://github.com/decidim/decidim/pull/11743",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decidim/decidim/pull/11743"
},
{
"name": "https://github.com/decidim/decidim/pull/6247",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decidim/decidim/pull/6247"
},
{
"name": "https://github.com/decidim/decidim/commit/5542227be66e3b6d7530f5b536069bce09376660",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decidim/decidim/commit/5542227be66e3b6d7530f5b536069bce09376660"
},
{
"name": "https://github.com/decidim/decidim/commit/57a4b467787448307b5d9b01ce6e2c8502e121ac",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decidim/decidim/commit/57a4b467787448307b5d9b01ce6e2c8502e121ac"
},
{
"name": "https://github.com/decidim/decidim/blob/3187bdfd40ea1c57c2c12512b09a7fec0b2bed08/decidim-templates/app/controllers/decidim/templates/admin/questionnaire_templates_controller.rb#L11",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decidim/decidim/blob/3187bdfd40ea1c57c2c12512b09a7fec0b2bed08/decidim-templates/app/controllers/decidim/templates/admin/questionnaire_templates_controller.rb#L11"
},
{
"name": "https://github.com/decidim/decidim/releases/tag/v0.27.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.27.5"
},
{
"name": "https://github.com/decidim/decidim/releases/tag/v0.28.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.28.0"
}
],
"source": {
"advisory": "GHSA-f3qm-vfc3-jg6v",
"discovery": "UNKNOWN"
},
"title": "Decidim vulnerable to possible CSRF attack at questionnaire templates preview"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-47635",
"datePublished": "2024-02-20T16:45:39.305Z",
"dateReserved": "2023-11-07T16:57:49.245Z",
"dateUpdated": "2024-08-22T13:25:39.658Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41673 (GCVE-0-2024-41673)
Vulnerability from cvelistv5
Published
2024-10-01 14:58
Modified
2024-10-01 17:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Decidim is a participatory democracy framework. The version control feature used in resources is subject to potential XSS attack through a malformed URL. This vulnerability is fixed in 0.27.8.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/decidim/decidim/security/advisories/GHSA-cc4g-m3g7-xmw8 | x_refsource_CONFIRM | |
| https://github.com/decidim/decidim/commit/8a18c8b1ee85a1b35ee0d8d5893f218695d15637 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41673",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-01T17:47:16.897644Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-01T17:47:27.814Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "decidim",
"vendor": "decidim",
"versions": [
{
"status": "affected",
"version": "\u003c 0.27.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Decidim is a participatory democracy framework. The version control feature used in resources is subject to potential XSS attack through a malformed URL. This vulnerability is fixed in 0.27.8."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-01T14:58:34.521Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/decidim/decidim/security/advisories/GHSA-cc4g-m3g7-xmw8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-cc4g-m3g7-xmw8"
},
{
"name": "https://github.com/decidim/decidim/commit/8a18c8b1ee85a1b35ee0d8d5893f218695d15637",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decidim/decidim/commit/8a18c8b1ee85a1b35ee0d8d5893f218695d15637"
}
],
"source": {
"advisory": "GHSA-cc4g-m3g7-xmw8",
"discovery": "UNKNOWN"
},
"title": "Decidim has a cross-site scripting vulnerability in the version control page"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-41673",
"datePublished": "2024-10-01T14:58:34.521Z",
"dateReserved": "2024-07-18T15:21:47.486Z",
"dateUpdated": "2024-10-01T17:47:27.814Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-32693 (GCVE-0-2023-32693)
Vulnerability from cvelistv5
Published
2023-07-11 17:19
Modified
2024-11-04 19:54
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The external link feature is susceptible to cross-site scripting. This allows a remote attacker to execute JavaScript code in the context of a currently logged-in user. An attacker could use this vulnerability to make other users endorse or support proposals they have no intention of supporting or endorsing. The problem was patched in versions 0.27.3 and 0.26.7.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/decidim/decidim/security/advisories/GHSA-469h-mqg8-535r | x_refsource_CONFIRM | |
| https://github.com/decidim/decidim/releases/tag/v0.26.7 | x_refsource_MISC | |
| https://github.com/decidim/decidim/releases/tag/v0.27.3 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:25:36.480Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/decidim/decidim/security/advisories/GHSA-469h-mqg8-535r",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-469h-mqg8-535r"
},
{
"name": "https://github.com/decidim/decidim/releases/tag/v0.26.7",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.26.7"
},
{
"name": "https://github.com/decidim/decidim/releases/tag/v0.27.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.27.3"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:decidim:decidim:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "decidim",
"vendor": "decidim",
"versions": [
{
"lessThan": "0.26.7",
"status": "affected",
"version": "0.25.0",
"versionType": "custom"
},
{
"lessThan": "0.27.3",
"status": "affected",
"version": "0.27.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32693",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-04T19:43:24.248114Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-04T19:54:10.232Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "decidim",
"vendor": "decidim",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.25.0, \u003c 0.26.7"
},
{
"status": "affected",
"version": "\u003e= 0.27.0, \u003c 0.27.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The external link feature is susceptible to cross-site scripting. This allows a remote attacker to execute JavaScript code in the context of a currently logged-in user. An attacker could use this vulnerability to make other users endorse or support proposals they have no intention of supporting or endorsing. The problem was patched in versions 0.27.3 and 0.26.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-19T19:18:32.414Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/decidim/decidim/security/advisories/GHSA-469h-mqg8-535r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-469h-mqg8-535r"
},
{
"name": "https://github.com/decidim/decidim/releases/tag/v0.26.7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.26.7"
},
{
"name": "https://github.com/decidim/decidim/releases/tag/v0.27.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.27.3"
}
],
"source": {
"advisory": "GHSA-469h-mqg8-535r",
"discovery": "UNKNOWN"
},
"title": "Decidim Cross-site Scripting vulnerability in the external link redirections"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-32693",
"datePublished": "2023-07-11T17:19:26.138Z",
"dateReserved": "2023-05-11T16:33:45.733Z",
"dateUpdated": "2024-11-04T19:54:10.232Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-47634 (GCVE-0-2023-47634)
Vulnerability from cvelistv5
Published
2024-02-20 16:37
Modified
2024-08-02 21:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Summary
Decidim is a participatory democracy framework. Starting in version 0.10.0 and prior to versions 0.26.9, 0.27.5, and 0.28.0, a race condition in the endorsement of resources (for instance, a proposal) allows a user to make more than once endorsement. To exploit this vulnerability, the request to set an endorsement must be sent several times in parallel. Versions 0.26.9, 0.27.5, and 0.28.0 contain a patch for this issue. As a workaround, disable the Endorsement feature in the components.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/decidim/decidim/security/advisories/GHSA-r275-j57c-7mf2 | x_refsource_CONFIRM | |
| https://github.com/decidim/decidim/releases/tag/v0.26.9 | x_refsource_MISC | |
| https://github.com/decidim/decidim/releases/tag/v0.27.5 | x_refsource_MISC | |
| https://github.com/decidim/decidim/releases/tag/v0.28.0 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-47634",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-29T18:21:02.095576Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:26:35.629Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:16:42.668Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/decidim/decidim/security/advisories/GHSA-r275-j57c-7mf2",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-r275-j57c-7mf2"
},
{
"name": "https://github.com/decidim/decidim/releases/tag/v0.26.9",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.26.9"
},
{
"name": "https://github.com/decidim/decidim/releases/tag/v0.27.5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.27.5"
},
{
"name": "https://github.com/decidim/decidim/releases/tag/v0.28.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.28.0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "decidim",
"vendor": "decidim",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.10.0, \u003c 0.26.9"
},
{
"status": "affected",
"version": "\u003e= 0.27.0, \u003c 0.27.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Decidim is a participatory democracy framework. Starting in version 0.10.0 and prior to versions 0.26.9, 0.27.5, and 0.28.0, a race condition in the endorsement of resources (for instance, a proposal) allows a user to make more than once endorsement. To exploit this vulnerability, the request to set an endorsement must be sent several times in parallel. Versions 0.26.9, 0.27.5, and 0.28.0 contain a patch for this issue. As a workaround, disable the Endorsement feature in the components. "
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-20T16:37:51.966Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/decidim/decidim/security/advisories/GHSA-r275-j57c-7mf2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-r275-j57c-7mf2"
},
{
"name": "https://github.com/decidim/decidim/releases/tag/v0.26.9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.26.9"
},
{
"name": "https://github.com/decidim/decidim/releases/tag/v0.27.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.27.5"
},
{
"name": "https://github.com/decidim/decidim/releases/tag/v0.28.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.28.0"
}
],
"source": {
"advisory": "GHSA-r275-j57c-7mf2",
"discovery": "UNKNOWN"
},
"title": "Decidim has race condition in Endorsements"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-47634",
"datePublished": "2024-02-20T16:37:51.966Z",
"dateReserved": "2023-11-07T16:57:49.245Z",
"dateUpdated": "2024-08-02T21:16:42.668Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-34090 (GCVE-0-2023-34090)
Vulnerability from cvelistv5
Published
2023-07-11 17:29
Modified
2024-10-23 15:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. Decidim uses a third-party library named Ransack for filtering certain database collections (e.g., public meetings). By default, this library allows filtering on all data attributes and associations. This allows an unauthenticated remote attacker to exfiltrate non-public data from the underlying database of a Decidim instance (e.g., exfiltrating data from the user table). This issue may lead to Sensitive Data Disclosure. The problem was patched in version 0.27.3.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/decidim/decidim/security/advisories/GHSA-jm79-9pm4-vrw9 | x_refsource_CONFIRM | |
| https://github.com/decidim/decidim/security/advisories/GHSA-jm79-9pm4-vrw9#advisory-comment-81110 | x_refsource_MISC | |
| https://github.com/decidim/decidim/releases/tag/v0.27.3 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:01:53.423Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/decidim/decidim/security/advisories/GHSA-jm79-9pm4-vrw9",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-jm79-9pm4-vrw9"
},
{
"name": "https://github.com/decidim/decidim/security/advisories/GHSA-jm79-9pm4-vrw9#advisory-comment-81110",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-jm79-9pm4-vrw9#advisory-comment-81110"
},
{
"name": "https://github.com/decidim/decidim/releases/tag/v0.27.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.27.3"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:decidim:decidim:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "decidim",
"vendor": "decidim",
"versions": [
{
"lessThan": "0.27.3",
"status": "affected",
"version": "0.27.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-34090",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T15:26:40.815767Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T15:27:20.029Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "decidim",
"vendor": "decidim",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.27.0, \u003c 0.27.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. Decidim uses a third-party library named Ransack for filtering certain database collections (e.g., public meetings). By default, this library allows filtering on all data attributes and associations. This allows an unauthenticated remote attacker to exfiltrate non-public data from the underlying database of a Decidim instance (e.g., exfiltrating data from the user table). This issue may lead to Sensitive Data Disclosure. The problem was patched in version 0.27.3. "
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-11T17:29:36.629Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/decidim/decidim/security/advisories/GHSA-jm79-9pm4-vrw9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-jm79-9pm4-vrw9"
},
{
"name": "https://github.com/decidim/decidim/security/advisories/GHSA-jm79-9pm4-vrw9#advisory-comment-81110",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-jm79-9pm4-vrw9#advisory-comment-81110"
},
{
"name": "https://github.com/decidim/decidim/releases/tag/v0.27.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.27.3"
}
],
"source": {
"advisory": "GHSA-jm79-9pm4-vrw9",
"discovery": "UNKNOWN"
},
"title": "Decidim vulnerable to sensitive data disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-34090",
"datePublished": "2023-07-11T17:29:36.629Z",
"dateReserved": "2023-05-25T21:56:51.244Z",
"dateUpdated": "2024-10-23T15:27:20.029Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-32469 (GCVE-0-2024-32469)
Vulnerability from cvelistv5
Published
2024-07-10 19:10
Modified
2024-08-02 02:13
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Decidim is a participatory democracy framework. The pagination feature used in searches and filters is subject to potential XSS attack through a malformed URL using the GET parameter `per_page`. This vulnerability is fixed in 0.27.6 and 0.28.1.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/decidim/decidim/security/advisories/GHSA-7cx8-44pc-xv3q | x_refsource_CONFIRM | |
| https://github.com/decidim/decidim/releases/tag/v0.27.6 | x_refsource_MISC | |
| https://github.com/decidim/decidim/releases/tag/v0.28.1 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32469",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-11T14:25:38.744268Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-11T14:25:47.917Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:13:39.100Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/decidim/decidim/security/advisories/GHSA-7cx8-44pc-xv3q",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-7cx8-44pc-xv3q"
},
{
"name": "https://github.com/decidim/decidim/releases/tag/v0.27.6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.27.6"
},
{
"name": "https://github.com/decidim/decidim/releases/tag/v0.28.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.28.1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "decidim",
"vendor": "decidim",
"versions": [
{
"status": "affected",
"version": "\u003c 0.27.6"
},
{
"status": "affected",
"version": "\u003e= 0.28.0.rc1, \u003c 0.28.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Decidim is a participatory democracy framework. The pagination feature used in searches and filters is subject to potential XSS attack through a malformed URL using the GET parameter `per_page`. This vulnerability is fixed in 0.27.6 and 0.28.1.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-10T19:10:36.304Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/decidim/decidim/security/advisories/GHSA-7cx8-44pc-xv3q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-7cx8-44pc-xv3q"
},
{
"name": "https://github.com/decidim/decidim/releases/tag/v0.27.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.27.6"
},
{
"name": "https://github.com/decidim/decidim/releases/tag/v0.28.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.28.1"
}
],
"source": {
"advisory": "GHSA-7cx8-44pc-xv3q",
"discovery": "UNKNOWN"
},
"title": "Decidim has cross-site scripting (XSS) in the pagination"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-32469",
"datePublished": "2024-07-10T19:10:36.304Z",
"dateReserved": "2024-04-12T19:41:51.166Z",
"dateUpdated": "2024-08-02T02:13:39.100Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-51447 (GCVE-0-2023-51447)
Vulnerability from cvelistv5
Published
2024-02-20 17:29
Modified
2024-08-26 14:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Decidim is a participatory democracy framework. Starting in version 0.27.0 and prior to versions 0.27.5 and 0.28.0, the dynamic file upload feature is subject to potential cross-site scripting attacks in case the attacker manages to modify the file names of the records being uploaded to the server. This appears in sections where the user controls the file upload dialogs themselves and has the technical knowledge to change the file names through the dynamic upload endpoint. Therefore I believe it would require the attacker to control the whole session of the particular user but in any case, this needs to be fixed. Successful exploit of this vulnerability would require the user to have successfully uploaded a file blob to the server with a malicious file name and then have the possibility to direct the other user to the edit page of the record where the attachment is attached. The users are able to craft the direct upload requests themselves controlling the file name that gets stored to the database. The attacker is able to change the filename e.g. to `<svg onload=alert('XSS')>` if they know how to craft these requests themselves. And then enter the returned blob ID to the form inputs manually by modifying the edit page source. Versions 0.27.5 and 0.28.0 contain a patch for this issue. As a workaround, disable dynamic uploads for the instance, e.g. from proposals.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:32:09.936Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/decidim/decidim/security/advisories/GHSA-9w99-78rj-hmxq",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-9w99-78rj-hmxq"
},
{
"name": "https://github.com/decidim/decidim/pull/11612",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/pull/11612"
},
{
"name": "https://github.com/decidim/decidim/commit/aaf72787cf18beeeb6a771c1f7cbb7654b073423",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/commit/aaf72787cf18beeeb6a771c1f7cbb7654b073423"
},
{
"name": "https://github.com/decidim/decidim/releases/tag/v0.27.5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.27.5"
},
{
"name": "https://github.com/decidim/decidim/releases/tag/v0.28.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.28.0"
},
{
"name": "https://github.com/rails/rails/blob/a967d355c6fee9ad9b8bd115d43bc8b0fc207e7e/activestorage/app/controllers/active_storage/direct_uploads_controller.rb#L14",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rails/rails/blob/a967d355c6fee9ad9b8bd115d43bc8b0fc207e7e/activestorage/app/controllers/active_storage/direct_uploads_controller.rb#L14"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:decidim:decidim:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "decidim",
"vendor": "decidim",
"versions": [
{
"lessThan": "0.27.5",
"status": "affected",
"version": "0.27.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-51447",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-21T19:26:23.301660Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-26T14:47:59.180Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "decidim",
"vendor": "decidim",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.27.0, \u003c 0.27.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Decidim is a participatory democracy framework. Starting in version 0.27.0 and prior to versions 0.27.5 and 0.28.0, the dynamic file upload feature is subject to potential cross-site scripting attacks in case the attacker manages to modify the file names of the records being uploaded to the server. This appears in sections where the user controls the file upload dialogs themselves and has the technical knowledge to change the file names through the dynamic upload endpoint. Therefore I believe it would require the attacker to control the whole session of the particular user but in any case, this needs to be fixed. Successful exploit of this vulnerability would require the user to have successfully uploaded a file blob to the server with a malicious file name and then have the possibility to direct the other user to the edit page of the record where the attachment is attached. The users are able to craft the direct upload requests themselves controlling the file name that gets stored to the database. The attacker is able to change the filename e.g. to `\u003csvg onload=alert(\u0027XSS\u0027)\u003e` if they know how to craft these requests themselves. And then enter the returned blob ID to the form inputs manually by modifying the edit page source. Versions 0.27.5 and 0.28.0 contain a patch for this issue. As a workaround, disable dynamic uploads for the instance, e.g. from proposals."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-20T17:29:35.677Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/decidim/decidim/security/advisories/GHSA-9w99-78rj-hmxq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-9w99-78rj-hmxq"
},
{
"name": "https://github.com/decidim/decidim/pull/11612",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decidim/decidim/pull/11612"
},
{
"name": "https://github.com/decidim/decidim/commit/aaf72787cf18beeeb6a771c1f7cbb7654b073423",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decidim/decidim/commit/aaf72787cf18beeeb6a771c1f7cbb7654b073423"
},
{
"name": "https://github.com/decidim/decidim/releases/tag/v0.27.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.27.5"
},
{
"name": "https://github.com/decidim/decidim/releases/tag/v0.28.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.28.0"
},
{
"name": "https://github.com/rails/rails/blob/a967d355c6fee9ad9b8bd115d43bc8b0fc207e7e/activestorage/app/controllers/active_storage/direct_uploads_controller.rb#L14",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rails/rails/blob/a967d355c6fee9ad9b8bd115d43bc8b0fc207e7e/activestorage/app/controllers/active_storage/direct_uploads_controller.rb#L14"
}
],
"source": {
"advisory": "GHSA-9w99-78rj-hmxq",
"discovery": "UNKNOWN"
},
"title": "Decidim vulnerable to cross-site scripting (XSS) in the dynamic file uploads"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-51447",
"datePublished": "2024-02-20T17:29:35.677Z",
"dateReserved": "2023-12-19T15:19:39.615Z",
"dateUpdated": "2024-08-26T14:47:59.180Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-27095 (GCVE-0-2024-27095)
Vulnerability from cvelistv5
Published
2024-07-10 19:07
Modified
2024-08-02 00:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Decidim is a participatory democracy framework. The admin panel is subject to potential XSS attach in case the attacker manages to modify some records being uploaded to the server. This vulnerability is fixed in 0.27.6 and 0.28.1.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/decidim/decidim/security/advisories/GHSA-529p-jj47-w3m3 | x_refsource_CONFIRM | |
| https://github.com/decidim/decidim/releases/tag/v0.27.6 | x_refsource_MISC | |
| https://github.com/decidim/decidim/releases/tag/v0.28.1 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27095",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-10T19:56:08.980647Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-10T19:56:37.741Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:27:59.577Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/decidim/decidim/security/advisories/GHSA-529p-jj47-w3m3",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-529p-jj47-w3m3"
},
{
"name": "https://github.com/decidim/decidim/releases/tag/v0.27.6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.27.6"
},
{
"name": "https://github.com/decidim/decidim/releases/tag/v0.28.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.28.1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "decidim",
"vendor": "decidim",
"versions": [
{
"status": "affected",
"version": "\u003c 0.27.6"
},
{
"status": "affected",
"version": "\u003e= 0.28.0.rc1, \u003c 0.28.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Decidim is a participatory democracy framework. The admin panel is subject to potential XSS attach in case the attacker manages to modify some records being uploaded to the server. This vulnerability is fixed in 0.27.6 and 0.28.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-10T19:07:45.995Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/decidim/decidim/security/advisories/GHSA-529p-jj47-w3m3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-529p-jj47-w3m3"
},
{
"name": "https://github.com/decidim/decidim/releases/tag/v0.27.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.27.6"
},
{
"name": "https://github.com/decidim/decidim/releases/tag/v0.28.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.28.1"
}
],
"source": {
"advisory": "GHSA-529p-jj47-w3m3",
"discovery": "UNKNOWN"
},
"title": "Decidim cross-site scripting (XSS) in the admin panel"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-27095",
"datePublished": "2024-07-10T19:07:45.995Z",
"dateReserved": "2024-02-19T14:43:05.993Z",
"dateUpdated": "2024-08-02T00:27:59.577Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45594 (GCVE-0-2024-45594)
Vulnerability from cvelistv5
Published
2024-11-13 16:21
Modified
2024-11-13 18:43
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Decidim is a participatory democracy framework. The meeting embeds feature used in the online or hybrid meetings is subject to potential XSS attack through a malformed URL. This vulnerability is fixed in 0.28.3 and 0.29.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/decidim/decidim/security/advisories/GHSA-j4h6-gcj7-7v9v | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:decidim:decidim:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "decidim",
"vendor": "decidim",
"versions": [
{
"status": "affected",
"version": "0.28.0"
},
{
"status": "affected",
"version": "0.28.1"
},
{
"status": "affected",
"version": "0.28.2"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45594",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-13T18:43:43.229338Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-13T18:43:57.042Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "decidim",
"vendor": "decidim",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.28.0, \u003c 0.28.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Decidim is a participatory democracy framework. The meeting embeds feature used in the online or hybrid meetings is subject to potential XSS attack through a malformed URL. This vulnerability is fixed in 0.28.3 and 0.29.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-13T16:21:37.850Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/decidim/decidim/security/advisories/GHSA-j4h6-gcj7-7v9v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-j4h6-gcj7-7v9v"
}
],
"source": {
"advisory": "GHSA-j4h6-gcj7-7v9v",
"discovery": "UNKNOWN"
},
"title": "Decidim allows cross-site scripting (XSS) in the online or hybrid meeting embeds"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-45594",
"datePublished": "2024-11-13T16:21:37.850Z",
"dateReserved": "2024-09-02T16:00:02.423Z",
"dateUpdated": "2024-11-13T18:43:57.042Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-36465 (GCVE-0-2023-36465)
Vulnerability from cvelistv5
Published
2023-10-06 11:56
Modified
2024-09-19 18:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-284 - Improper Access Control
Summary
Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The `templates` module doesn't enforce the correct permissions, allowing any logged-in user to access to this functionality in the administration panel. An attacker could use this vulnerability to change, create or delete templates of surveys. This issue has been patched in version 0.26.8 and 0.27.4.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/decidim/decidim/security/advisories/GHSA-639h-86hw-qcjq | x_refsource_CONFIRM | |
| https://github.com/decidim/decidim/releases/tag/v0.26.8 | x_refsource_MISC | |
| https://github.com/decidim/decidim/releases/tag/v0.27.4 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:45:57.045Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/decidim/decidim/security/advisories/GHSA-639h-86hw-qcjq",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-639h-86hw-qcjq"
},
{
"name": "https://github.com/decidim/decidim/releases/tag/v0.26.8",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.26.8"
},
{
"name": "https://github.com/decidim/decidim/releases/tag/v0.27.4",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.27.4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-36465",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-19T18:47:43.005008Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-19T18:48:00.313Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "decidim",
"vendor": "decidim",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.23.2, \u003c 0.26.8"
},
{
"status": "affected",
"version": "\u003e= 0.27.0, \u003c 0.27.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The `templates` module doesn\u0027t enforce the correct permissions, allowing any logged-in user to access to this functionality in the administration panel. An attacker could use this vulnerability to change, create or delete templates of surveys. This issue has been patched in version 0.26.8 and 0.27.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-06T11:56:46.825Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/decidim/decidim/security/advisories/GHSA-639h-86hw-qcjq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-639h-86hw-qcjq"
},
{
"name": "https://github.com/decidim/decidim/releases/tag/v0.26.8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.26.8"
},
{
"name": "https://github.com/decidim/decidim/releases/tag/v0.27.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.27.4"
}
],
"source": {
"advisory": "GHSA-639h-86hw-qcjq",
"discovery": "UNKNOWN"
},
"title": "Decidim has broken access control in templates"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-36465",
"datePublished": "2023-10-06T11:56:46.825Z",
"dateReserved": "2023-06-21T18:50:41.700Z",
"dateUpdated": "2024-09-19T18:48:00.313Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-27090 (GCVE-0-2024-27090)
Vulnerability from cvelistv5
Published
2024-07-10 18:25
Modified
2024-08-02 00:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. If an attacker can infer the slug or URL of an unpublished or private resource, and this resource can be embbeded (such as a Participatory Process, an Assembly, a Proposal, a Result, etc), then some data of this resource could be accessed. This vulnerability is fixed in 0.27.6.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/decidim/decidim/security/advisories/GHSA-qcj6-vxwx-4rqv | x_refsource_CONFIRM | |
| https://github.com/decidim/decidim/pull/12528 | x_refsource_MISC | |
| https://github.com/decidim/decidim/commit/1756fa639ef393ca8e8bb16221cab2e2e7875705 | x_refsource_MISC | |
| https://github.com/decidim/decidim/releases/tag/v0.27.6 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:decidim:decidim:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "decidim",
"vendor": "decidim",
"versions": [
{
"lessThan": "0.27.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27090",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-10T19:29:59.485283Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-11T17:44:23.242Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:27:57.819Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/decidim/decidim/security/advisories/GHSA-qcj6-vxwx-4rqv",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-qcj6-vxwx-4rqv"
},
{
"name": "https://github.com/decidim/decidim/pull/12528",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/pull/12528"
},
{
"name": "https://github.com/decidim/decidim/commit/1756fa639ef393ca8e8bb16221cab2e2e7875705",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/commit/1756fa639ef393ca8e8bb16221cab2e2e7875705"
},
{
"name": "https://github.com/decidim/decidim/releases/tag/v0.27.6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.27.6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "decidim",
"vendor": "decidim",
"versions": [
{
"status": "affected",
"version": "\u003c 0.27.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. If an attacker can infer the slug or URL of an unpublished or private resource, and this resource can be embbeded (such as a Participatory Process, an Assembly, a Proposal, a Result, etc), then some data of this resource could be accessed. This vulnerability is fixed in 0.27.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-10T18:25:26.241Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/decidim/decidim/security/advisories/GHSA-qcj6-vxwx-4rqv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-qcj6-vxwx-4rqv"
},
{
"name": "https://github.com/decidim/decidim/pull/12528",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decidim/decidim/pull/12528"
},
{
"name": "https://github.com/decidim/decidim/commit/1756fa639ef393ca8e8bb16221cab2e2e7875705",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decidim/decidim/commit/1756fa639ef393ca8e8bb16221cab2e2e7875705"
},
{
"name": "https://github.com/decidim/decidim/releases/tag/v0.27.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decidim/decidim/releases/tag/v0.27.6"
}
],
"source": {
"advisory": "GHSA-qcj6-vxwx-4rqv",
"discovery": "UNKNOWN"
},
"title": "Decidim vulnerable to data disclosure through the embed feature"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-27090",
"datePublished": "2024-07-10T18:25:26.241Z",
"dateReserved": "2024-02-19T14:43:05.992Z",
"dateUpdated": "2024-08-02T00:27:57.819Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}