← Voltar para CVEs
CVE-2024-32034
MEDIUM6.8
Descricao
decidim is a Free Open-Source participatory democracy, citizen participation and open government for cities and organizations. The admin panel is subject to potential Cross-site scripting (XSS) attach in case an admin assigns a valuator to a proposal, or does any other action that generates an admin activity log where one of the resources has an XSS crafted. This issue has been addressed in release version 0.27.7, 0.28.2, and newer. Users are advised to upgrade. Users unable to upgrade may redirect the pages /admin and /admin/logs to other admin pages to prevent this access (i.e. `/admin/organization/edit`).
Detalhes CVE
Pontuacao CVSS v3.16.8
SeveridadeMEDIUM
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosLOW
Interacao do usuarioREQUIRED
Publicado9/16/2024
Ultima modificacao9/29/2024
Fontenvd
Avistamentos honeypot0
Produtos afetados
decidim:decidim
Fraquezas (CWE)
CWE-79
Referencias
https://github.com/decidim/decidim/commit/23fc8d702a4976727f78617f5e42353d67931645(security-advisories@github.com)
https://github.com/decidim/decidim/commit/9d79f09a2d38c87feb28725670d6cc1f55c22072(security-advisories@github.com)
https://github.com/decidim/decidim/commit/e494235d559be13dd1f8694345e6f6bba762d1c0(security-advisories@github.com)
https://github.com/decidim/decidim/commit/ff755e23814aeb56e9089fc08006a5d3faee47b6(security-advisories@github.com)
https://github.com/decidim/decidim/security/advisories/GHSA-rx9f-5ggv-5rh6(security-advisories@github.com)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.