CVE-2024-43415

Name of the Vulnerable Software and Affected Versions decidim awesome-module versions 0.9.0 through 0.11.1

Description An improper neutralization of special elements used in an SQL command in the papertrail/version-model of the decidim awesome-module allows an authenticated admin user to manipulate SQL queries to disclose information, read and write files, or execute commands. This issue can lead to remote code execution on the server. The affected component is a raw SQL statement that uses an interpolated variable in the admin role actions method of the papertrail/version-model. An attacker with admin permissions could exploit this to read out the database, read files from the filesystem, write files to the filesystem, or execute commands.

Recommendations For decidim awesome-module versions 0.9.0 through 0.11.1, consider disabling the papertrail/version-model until a patch is available to prevent manipulation of SQL queries. Restrict access to the admin role actions method in the app/models/decidim/decidim awesome/paper trail version.rb file to minimize the risk of exploitation. Avoid using interpolated variables in SQL statements to prevent SQL injection attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.