PT-2024-21646 · Decidim · Decidim
Andreslucena
·
Published
2024-07-10
·
Updated
2024-08-30
·
CVE-2024-27095
CVSS v4.0
6.8
Medium
| Vector | AV:N/AC:H/AT:N/PR:H/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Decidim versions prior to 0.27.6
Decidim versions prior to 0.28.1
Description
Decidim is a participatory democracy framework. The admin panel is subject to potential cross-site scripting (XSS) attack in case the attacker manages to modify some records being uploaded to the server. This can occur if the attacker knows how to craft specific requests and modify the edit page source to enter a returned blob ID to the form inputs manually.
Recommendations
For Decidim versions prior to 0.27.6, update to version 0.27.6 or later.
For Decidim versions prior to 0.28.1, update to version 0.28.1 or later.
As a temporary workaround, review the user accounts that have access to the admin panel and remove access to them if they don't need it.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Decidim