PT-2024-24369 · Decidim · Decidim
Andreslucena
·
Published
2024-09-16
·
Updated
2024-09-29
·
CVE-2024-32034
CVSS v3.1
6.8
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Decidim versions prior to 0.27.7
Decidim versions prior to 0.28.2
Description
The admin panel of Decidim is subject to potential Cross-site scripting (XSS) attacks when an admin assigns a valuator to a proposal or performs any other action that generates an admin activity log with an XSS crafted resource.
Recommendations
For versions prior to 0.27.7, upgrade to version 0.27.7 or newer.
For versions prior to 0.28.2, upgrade to version 0.28.2 or newer.
As a temporary workaround for users unable to upgrade, consider redirecting the pages "/admin" and "/admin/logs" to other admin pages, such as "/admin/organization/edit", to prevent access.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Decidim