CVE-2023-51447 (GCVE-0-2023-51447)
Vulnerability from cvelistv5
Published
2024-02-20 17:29
Modified
2024-08-26 14:47
Severity ?
6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Decidim is a participatory democracy framework. Starting in version 0.27.0 and prior to versions 0.27.5 and 0.28.0, the dynamic file upload feature is subject to potential cross-site scripting attacks in case the attacker manages to modify the file names of the records being uploaded to the server. This appears in sections where the user controls the file upload dialogs themselves and has the technical knowledge to change the file names through the dynamic upload endpoint. Therefore I believe it would require the attacker to control the whole session of the particular user but in any case, this needs to be fixed. Successful exploit of this vulnerability would require the user to have successfully uploaded a file blob to the server with a malicious file name and then have the possibility to direct the other user to the edit page of the record where the attachment is attached. The users are able to craft the direct upload requests themselves controlling the file name that gets stored to the database. The attacker is able to change the filename e.g. to `<svg onload=alert('XSS')>` if they know how to craft these requests themselves. And then enter the returned blob ID to the form inputs manually by modifying the edit page source. Versions 0.27.5 and 0.28.0 contain a patch for this issue. As a workaround, disable dynamic uploads for the instance, e.g. from proposals.
References
security-advisories@github.comhttps://github.com/decidim/decidim/commit/aaf72787cf18beeeb6a771c1f7cbb7654b073423Patch
security-advisories@github.comhttps://github.com/decidim/decidim/pull/11612Issue Tracking
security-advisories@github.comhttps://github.com/decidim/decidim/releases/tag/v0.27.5Release Notes
security-advisories@github.comhttps://github.com/decidim/decidim/releases/tag/v0.28.0Release Notes
security-advisories@github.comhttps://github.com/decidim/decidim/security/advisories/GHSA-9w99-78rj-hmxqMitigation, Patch, Vendor Advisory
security-advisories@github.comhttps://github.com/rails/rails/blob/a967d355c6fee9ad9b8bd115d43bc8b0fc207e7e/activestorage/app/controllers/active_storage/direct_uploads_controller.rb#L14Product
af854a3a-2127-422b-91ae-364da2661108https://github.com/decidim/decidim/commit/aaf72787cf18beeeb6a771c1f7cbb7654b073423Patch
af854a3a-2127-422b-91ae-364da2661108https://github.com/decidim/decidim/pull/11612Issue Tracking
af854a3a-2127-422b-91ae-364da2661108https://github.com/decidim/decidim/releases/tag/v0.27.5Release Notes
af854a3a-2127-422b-91ae-364da2661108https://github.com/decidim/decidim/releases/tag/v0.28.0Release Notes
af854a3a-2127-422b-91ae-364da2661108https://github.com/decidim/decidim/security/advisories/GHSA-9w99-78rj-hmxqMitigation, Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/rails/rails/blob/a967d355c6fee9ad9b8bd115d43bc8b0fc207e7e/activestorage/app/controllers/active_storage/direct_uploads_controller.rb#L14Product
Impacted products
Vendor Product Version
decidim decidim Version: >= 0.27.0, < 0.27.5
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T22:32:09.936Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/decidim/decidim/security/advisories/GHSA-9w99-78rj-hmxq",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/decidim/decidim/security/advisories/GHSA-9w99-78rj-hmxq"
          },
          {
            "name": "https://github.com/decidim/decidim/pull/11612",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/decidim/decidim/pull/11612"
          },
          {
            "name": "https://github.com/decidim/decidim/commit/aaf72787cf18beeeb6a771c1f7cbb7654b073423",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/decidim/decidim/commit/aaf72787cf18beeeb6a771c1f7cbb7654b073423"
          },
          {
            "name": "https://github.com/decidim/decidim/releases/tag/v0.27.5",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/decidim/decidim/releases/tag/v0.27.5"
          },
          {
            "name": "https://github.com/decidim/decidim/releases/tag/v0.28.0",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/decidim/decidim/releases/tag/v0.28.0"
          },
          {
            "name": "https://github.com/rails/rails/blob/a967d355c6fee9ad9b8bd115d43bc8b0fc207e7e/activestorage/app/controllers/active_storage/direct_uploads_controller.rb#L14",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/rails/rails/blob/a967d355c6fee9ad9b8bd115d43bc8b0fc207e7e/activestorage/app/controllers/active_storage/direct_uploads_controller.rb#L14"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:decidim:decidim:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "decidim",
            "vendor": "decidim",
            "versions": [
              {
                "lessThan": "0.27.5",
                "status": "affected",
                "version": "0.27.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-51447",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-02-21T19:26:23.301660Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-26T14:47:59.180Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "decidim",
          "vendor": "decidim",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.27.0, \u003c 0.27.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Decidim is a participatory democracy framework. Starting in version 0.27.0 and prior to versions 0.27.5 and 0.28.0, the dynamic file upload feature is subject to potential cross-site scripting attacks in case the attacker manages to modify the file names of the records being uploaded to the server. This appears in sections where the user controls the file upload dialogs themselves and has the technical knowledge to change the file names through the dynamic upload endpoint. Therefore I believe it would require the attacker to control the whole session of the particular user but in any case, this needs to be fixed. Successful exploit of this vulnerability would require the user to have successfully uploaded a file blob to the server with a malicious file name and then have the possibility to direct the other user to the edit page of the record where the attachment is attached. The users are able to craft the direct upload requests themselves controlling the file name that gets stored to the database. The attacker is able to change the filename e.g. to `\u003csvg onload=alert(\u0027XSS\u0027)\u003e` if they know how to craft these requests themselves. And then enter the returned blob ID to the form inputs manually by modifying the edit page source. Versions 0.27.5 and 0.28.0 contain a patch for this issue. As a workaround, disable dynamic uploads for the instance, e.g. from proposals."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-02-20T17:29:35.677Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/decidim/decidim/security/advisories/GHSA-9w99-78rj-hmxq",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/decidim/decidim/security/advisories/GHSA-9w99-78rj-hmxq"
        },
        {
          "name": "https://github.com/decidim/decidim/pull/11612",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/decidim/decidim/pull/11612"
        },
        {
          "name": "https://github.com/decidim/decidim/commit/aaf72787cf18beeeb6a771c1f7cbb7654b073423",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/decidim/decidim/commit/aaf72787cf18beeeb6a771c1f7cbb7654b073423"
        },
        {
          "name": "https://github.com/decidim/decidim/releases/tag/v0.27.5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/decidim/decidim/releases/tag/v0.27.5"
        },
        {
          "name": "https://github.com/decidim/decidim/releases/tag/v0.28.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/decidim/decidim/releases/tag/v0.28.0"
        },
        {
          "name": "https://github.com/rails/rails/blob/a967d355c6fee9ad9b8bd115d43bc8b0fc207e7e/activestorage/app/controllers/active_storage/direct_uploads_controller.rb#L14",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rails/rails/blob/a967d355c6fee9ad9b8bd115d43bc8b0fc207e7e/activestorage/app/controllers/active_storage/direct_uploads_controller.rb#L14"
        }
      ],
      "source": {
        "advisory": "GHSA-9w99-78rj-hmxq",
        "discovery": "UNKNOWN"
      },
      "title": "Decidim vulnerable to cross-site scripting (XSS) in the dynamic file uploads"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-51447",
    "datePublished": "2024-02-20T17:29:35.677Z",
    "dateReserved": "2023-12-19T15:19:39.615Z",
    "dateUpdated": "2024-08-26T14:47:59.180Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-51447\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-02-20T18:15:50.547\",\"lastModified\":\"2024-12-16T22:43:27.217\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Decidim is a participatory democracy framework. Starting in version 0.27.0 and prior to versions 0.27.5 and 0.28.0, the dynamic file upload feature is subject to potential cross-site scripting attacks in case the attacker manages to modify the file names of the records being uploaded to the server. This appears in sections where the user controls the file upload dialogs themselves and has the technical knowledge to change the file names through the dynamic upload endpoint. Therefore I believe it would require the attacker to control the whole session of the particular user but in any case, this needs to be fixed. Successful exploit of this vulnerability would require the user to have successfully uploaded a file blob to the server with a malicious file name and then have the possibility to direct the other user to the edit page of the record where the attachment is attached. The users are able to craft the direct upload requests themselves controlling the file name that gets stored to the database. The attacker is able to change the filename e.g. to `\u003csvg onload=alert(\u0027XSS\u0027)\u003e` if they know how to craft these requests themselves. And then enter the returned blob ID to the form inputs manually by modifying the edit page source. Versions 0.27.5 and 0.28.0 contain a patch for this issue. As a workaround, disable dynamic uploads for the instance, e.g. from proposals.\"},{\"lang\":\"es\",\"value\":\"Decidim es un framework de democracia participativa. A partir de la versi\u00f3n 0.27.0 y antes de las versiones 0.27.5 y 0.28.0, la funci\u00f3n de carga din\u00e1mica de archivos est\u00e1 sujeta a posibles ataques de Cross-site scripting en caso de que el atacante logre modificar los nombres de los archivos de los registros que se cargan en el servidor. Esto aparece en secciones donde el usuario controla los cuadros de di\u00e1logo de carga de archivos y tiene el conocimiento t\u00e9cnico para cambiar los nombres de los archivos a trav\u00e9s del endpoint de carga din\u00e1mica. Por lo tanto, creo que requerir\u00eda que el atacante controlara toda la sesi\u00f3n del usuario en particular, pero en cualquier caso, esto debe solucionarse. La explotaci\u00f3n exitosa de esta vulnerabilidad requerir\u00eda que el usuario haya subido exitosamente un blob de archivos al servidor con un nombre de archivo malicioso y luego tenga la posibilidad de dirigir al otro usuario a la p\u00e1gina de edici\u00f3n del registro donde se adjunta el archivo adjunto. Los usuarios pueden crear ellos mismos las solicitudes de carga directa controlando el nombre del archivo que se almacena en la base de datos. El atacante puede cambiar el nombre del archivo, por ejemplo, a `` si sabe c\u00f3mo elaborar estas solicitudes por s\u00ed mismo. Y luego ingrese el ID del blob devuelto en las entradas del formulario manualmente modificando la fuente de la p\u00e1gina de edici\u00f3n. Las versiones 0.27.5 y 0.28.0 contienen un parche para este problema. Como workaround, deshabilite las cargas din\u00e1micas para la instancia, por ejemplo, desde propuestas.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N\",\"baseScore\":6.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.1,\"impactScore\":4.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:decidim:decidim:*:*:*:*:*:ruby:*:*\",\"versionStartIncluding\":\"0.27.0\",\"versionEndExcluding\":\"0.27.5\",\"matchCriteriaId\":\"38FDE900-4C89-45E3-821E-BF6F2A69C587\"}]}]}],\"references\":[{\"url\":\"https://github.com/decidim/decidim/commit/aaf72787cf18beeeb6a771c1f7cbb7654b073423\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/decidim/decidim/pull/11612\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://github.com/decidim/decidim/releases/tag/v0.27.5\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/decidim/decidim/releases/tag/v0.28.0\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/decidim/decidim/security/advisories/GHSA-9w99-78rj-hmxq\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/rails/rails/blob/a967d355c6fee9ad9b8bd115d43bc8b0fc207e7e/activestorage/app/controllers/active_storage/direct_uploads_controller.rb#L14\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/decidim/decidim/commit/aaf72787cf18beeeb6a771c1f7cbb7654b073423\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/decidim/decidim/pull/11612\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://github.com/decidim/decidim/releases/tag/v0.27.5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/decidim/decidim/releases/tag/v0.28.0\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/decidim/decidim/security/advisories/GHSA-9w99-78rj-hmxq\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/rails/rails/blob/a967d355c6fee9ad9b8bd115d43bc8b0fc207e7e/activestorage/app/controllers/active_storage/direct_uploads_controller.rb#L14\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/decidim/decidim/security/advisories/GHSA-9w99-78rj-hmxq\", \"name\": \"https://github.com/decidim/decidim/security/advisories/GHSA-9w99-78rj-hmxq\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/decidim/decidim/pull/11612\", \"name\": \"https://github.com/decidim/decidim/pull/11612\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/decidim/decidim/commit/aaf72787cf18beeeb6a771c1f7cbb7654b073423\", \"name\": \"https://github.com/decidim/decidim/commit/aaf72787cf18beeeb6a771c1f7cbb7654b073423\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/decidim/decidim/releases/tag/v0.27.5\", \"name\": \"https://github.com/decidim/decidim/releases/tag/v0.27.5\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/decidim/decidim/releases/tag/v0.28.0\", \"name\": \"https://github.com/decidim/decidim/releases/tag/v0.28.0\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/rails/rails/blob/a967d355c6fee9ad9b8bd115d43bc8b0fc207e7e/activestorage/app/controllers/active_storage/direct_uploads_controller.rb#L14\", \"name\": \"https://github.com/rails/rails/blob/a967d355c6fee9ad9b8bd115d43bc8b0fc207e7e/activestorage/app/controllers/active_storage/direct_uploads_controller.rb#L14\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T22:32:09.936Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-51447\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-02-21T19:26:23.301660Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:decidim:decidim:*:*:*:*:*:*:*:*\"], \"vendor\": \"decidim\", \"product\": \"decidim\", \"versions\": [{\"status\": \"affected\", \"version\": \"0.27.0\", \"lessThan\": \"0.27.5\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-26T14:47:47.526Z\"}}], \"cna\": {\"title\": \"Decidim vulnerable to cross-site scripting (XSS) in the dynamic file uploads\", \"source\": {\"advisory\": \"GHSA-9w99-78rj-hmxq\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"decidim\", \"product\": \"decidim\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 0.27.0, \u003c 0.27.5\"}]}], \"references\": [{\"url\": \"https://github.com/decidim/decidim/security/advisories/GHSA-9w99-78rj-hmxq\", \"name\": \"https://github.com/decidim/decidim/security/advisories/GHSA-9w99-78rj-hmxq\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/decidim/decidim/pull/11612\", \"name\": \"https://github.com/decidim/decidim/pull/11612\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/decidim/decidim/commit/aaf72787cf18beeeb6a771c1f7cbb7654b073423\", \"name\": \"https://github.com/decidim/decidim/commit/aaf72787cf18beeeb6a771c1f7cbb7654b073423\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/decidim/decidim/releases/tag/v0.27.5\", \"name\": \"https://github.com/decidim/decidim/releases/tag/v0.27.5\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/decidim/decidim/releases/tag/v0.28.0\", \"name\": \"https://github.com/decidim/decidim/releases/tag/v0.28.0\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/rails/rails/blob/a967d355c6fee9ad9b8bd115d43bc8b0fc207e7e/activestorage/app/controllers/active_storage/direct_uploads_controller.rb#L14\", \"name\": \"https://github.com/rails/rails/blob/a967d355c6fee9ad9b8bd115d43bc8b0fc207e7e/activestorage/app/controllers/active_storage/direct_uploads_controller.rb#L14\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Decidim is a participatory democracy framework. Starting in version 0.27.0 and prior to versions 0.27.5 and 0.28.0, the dynamic file upload feature is subject to potential cross-site scripting attacks in case the attacker manages to modify the file names of the records being uploaded to the server. This appears in sections where the user controls the file upload dialogs themselves and has the technical knowledge to change the file names through the dynamic upload endpoint. Therefore I believe it would require the attacker to control the whole session of the particular user but in any case, this needs to be fixed. Successful exploit of this vulnerability would require the user to have successfully uploaded a file blob to the server with a malicious file name and then have the possibility to direct the other user to the edit page of the record where the attachment is attached. The users are able to craft the direct upload requests themselves controlling the file name that gets stored to the database. The attacker is able to change the filename e.g. to `\u003csvg onload=alert(\u0027XSS\u0027)\u003e` if they know how to craft these requests themselves. And then enter the returned blob ID to the form inputs manually by modifying the edit page source. Versions 0.27.5 and 0.28.0 contain a patch for this issue. As a workaround, disable dynamic uploads for the instance, e.g. from proposals.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-02-20T17:29:35.677Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-51447\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-26T14:47:59.180Z\", \"dateReserved\": \"2023-12-19T15:19:39.615Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-02-20T17:29:35.677Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.