Skip to content

Decidim cross-site scripting (XSS) in the admin panel

Moderate severity GitHub Reviewed Published Jul 10, 2024 in decidim/decidim • Updated Jul 11, 2024

Package

decidim-admin (RubyGems)

Affected versions

< 0.27.6
>= 0.28.0.rc1, < 0.28.1

Patched versions

0.27.6
0.28.1

Description

Impact

The admin panel is subject to potential XSS attach in case the attacker manages to modify some records being uploaded to the server.

The attacker is able to change e.g. to <svg onload=alert('XSS')> if they know how to craft these requests themselves. And then enter the returned blob ID to the form inputs manually by modifying the edit page source.

Patches

Available in versions 0.27.6 and 0.28.1.

Workarounds

Review the user accounts that have access to the admin panel (i.e. general Administrators, and participatory space's Administrators) and remove access to them if they don't need it.

References

OWASP ASVS v4.0.3-5.1.3

References

@andreslucena andreslucena published to decidim/decidim Jul 10, 2024
Published to the GitHub Advisory Database Jul 10, 2024
Reviewed Jul 10, 2024
Published by the National Vulnerability Database Jul 10, 2024
Last updated Jul 11, 2024

Severity

Moderate
5.4
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
High
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N

Weaknesses

CVE ID

CVE-2024-27095

GHSA ID

GHSA-529p-jj47-w3m3

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.