fkie_nvd - fkie_cve-2024-27095

fkie_cve-2024-27095

Vulnerability from fkie_nvd

Published

2024-07-10 19:15

Modified

2024-11-21 09:03

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Summary

Decidim is a participatory democracy framework. The admin panel is subject to potential XSS attach in case the attacker manages to modify some records being uploaded to the server. This vulnerability is fixed in 0.27.6 and 0.28.1.

References

URL	Tags
security-advisories@github.com	https://github.com/decidim/decidim/releases/tag/v0.27.6	Release Notes
security-advisories@github.com	https://github.com/decidim/decidim/releases/tag/v0.28.1	Release Notes
security-advisories@github.com	https://github.com/decidim/decidim/security/advisories/GHSA-529p-jj47-w3m3	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/decidim/decidim/releases/tag/v0.27.6	Release Notes
af854a3a-2127-422b-91ae-364da2661108	https://github.com/decidim/decidim/releases/tag/v0.28.1	Release Notes
af854a3a-2127-422b-91ae-364da2661108	https://github.com/decidim/decidim/security/advisories/GHSA-529p-jj47-w3m3	Third Party Advisory

Impacted products

Vendor	Product	Version
decidim	decidim	*
decidim	decidim	0.28.0
decidim	decidim	0.28.0
decidim	decidim	0.28.0
decidim	decidim	0.28.0
decidim	decidim	0.28.0
decidim	decidim	0.28.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:decidim:decidim:*:*:*:*:*:ruby:*:*",
              "matchCriteriaId": "F06324EE-53B1-4FAE-8BEF-795C35E4975D",
              "versionEndExcluding": "0.27.6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:decidim:decidim:0.28.0:-:*:*:*:ruby:*:*",
              "matchCriteriaId": "637B8863-0862-4FB4-9871-EDCF21054F34",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:decidim:decidim:0.28.0:rc1:*:*:*:ruby:*:*",
              "matchCriteriaId": "8B3E98CE-A52C-4965-8549-559A23A38306",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:decidim:decidim:0.28.0:rc2:*:*:*:ruby:*:*",
              "matchCriteriaId": "D90343A7-D472-4EE2-91A1-9F173A42BCD0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:decidim:decidim:0.28.0:rc3:*:*:*:ruby:*:*",
              "matchCriteriaId": "A7805027-BBE2-48C3-AE74-F8D03A76D00F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:decidim:decidim:0.28.0:rc4:*:*:*:ruby:*:*",
              "matchCriteriaId": "178DC9F7-9880-437E-A0BF-CD5A4E6691BF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:decidim:decidim:0.28.0:rc5:*:*:*:ruby:*:*",
              "matchCriteriaId": "76E8A31B-8F15-4D43-A371-230C4FADDF5F",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Decidim is a participatory democracy framework. The admin panel is subject to potential XSS attach in case the attacker manages to modify some records being uploaded to the server. This vulnerability is fixed in 0.27.6 and 0.28.1."
    },
    {
      "lang": "es",
      "value": "Decidim es un framework de democracia participativa. El panel de administraci\u00f3n est\u00e1 sujeto a un posible adjunto XSS en caso de que el atacante logre modificar algunos registros que se cargan en el servidor. Esta vulnerabilidad se solucion\u00f3 en 0.27.6 y 0.28.1."
    }
  ],
  "id": "CVE-2024-27095",
  "lastModified": "2024-11-21T09:03:50.910",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.0,
        "impactScore": 4.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.7,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-07-10T19:15:10.407",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/decidim/decidim/releases/tag/v0.27.6"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/decidim/decidim/releases/tag/v0.28.1"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/decidim/decidim/security/advisories/GHSA-529p-jj47-w3m3"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/decidim/decidim/releases/tag/v0.27.6"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/decidim/decidim/releases/tag/v0.28.1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/decidim/decidim/security/advisories/GHSA-529p-jj47-w3m3"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CVE-2024-27095 (GCVE-0-2024-27095)

Vulnerability from cvelistv5

Published

2024-07-10 19:07

Modified

2024-08-02 00:27

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')