CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39910 – Cross-site scripting (XSS) in the decidim admin panel with QuillJS WYSWYG editor
https://notcve.org/view.php?id=CVE-2024-39910
decidim is a Free Open-Source participatory democracy, citizen participation and open government for cities and organizations. The WYSWYG editor QuillJS is subject to potential XSS attach in case the attacker manages to modify the HTML before being uploaded to the server. The attacker is able to change e.g. to <svg onload=alert('XSS')> if they know how to craft these requests themselves. This issue has been addressed in release version 0.27.7. All users are advised to upgrade. • https://github.com/decidim/decidim/security/advisories/GHSA-vvqw-fqwx-mqmm https://github.com/decidim/decidim/commit/47adca81cabea898005ec07b130b008f2a2be99f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-32034 – Cross-site scripting (XSS) in the decidim admin activity log
https://notcve.org/view.php?id=CVE-2024-32034
decidim is a Free Open-Source participatory democracy, citizen participation and open government for cities and organizations. The admin panel is subject to potential Cross-site scripting (XSS) attach in case an admin assigns a valuator to a proposal, or does any other action that generates an admin activity log where one of the resources has an XSS crafted. This issue has been addressed in release version 0.27.7, 0.28.2, and newer. Users are advised to upgrade. Users unable to upgrade may redirect the pages /admin and /admin/logs to other admin pages to prevent this access (i.e. • https://github.com/decidim/decidim/security/advisories/GHSA-rx9f-5ggv-5rh6 https://github.com/decidim/decidim/commit/23fc8d702a4976727f78617f5e42353d67931645 https://github.com/decidim/decidim/commit/9d79f09a2d38c87feb28725670d6cc1f55c22072 https://github.com/decidim/decidim/commit/e494235d559be13dd1f8694345e6f6bba762d1c0 https://github.com/decidim/decidim/commit/ff755e23814aeb56e9089fc08006a5d3faee47b6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32469 – Decidim has cross-site scripting (XSS) in the pagination
https://notcve.org/view.php?id=CVE-2024-32469
Decidim is a participatory democracy framework. The pagination feature used in searches and filters is subject to potential XSS attack through a malformed URL using the GET parameter `per_page`. This vulnerability is fixed in 0.27.6 and 0.28.1. Decidim es un framework de democracia participativa. La función de paginación utilizada en búsquedas y filtros está sujeta a posibles ataques XSS a través de una URL con formato incorrecto utilizando el parámetro GET `per_page`. • https://github.com/decidim/decidim/releases/tag/v0.27.6 https://github.com/decidim/decidim/releases/tag/v0.28.1 https://github.com/decidim/decidim/security/advisories/GHSA-7cx8-44pc-xv3q • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27095 – Decidim cross-site scripting (XSS) in the admin panel
https://notcve.org/view.php?id=CVE-2024-27095
Decidim is a participatory democracy framework. The admin panel is subject to potential XSS attach in case the attacker manages to modify some records being uploaded to the server. This vulnerability is fixed in 0.27.6 and 0.28.1. Decidim es un framework de democracia participativa. El panel de administración está sujeto a un posible adjunto XSS en caso de que el atacante logre modificar algunos registros que se cargan en el servidor. • https://github.com/decidim/decidim/releases/tag/v0.27.6 https://github.com/decidim/decidim/releases/tag/v0.28.1 https://github.com/decidim/decidim/security/advisories/GHSA-529p-jj47-w3m3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27090 – Decidim vulnerable to data disclosure through the embed feature
https://notcve.org/view.php?id=CVE-2024-27090
Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. If an attacker can infer the slug or URL of an unpublished or private resource, and this resource can be embbeded (such as a Participatory Process, an Assembly, a Proposal, a Result, etc), then some data of this resource could be accessed. This vulnerability is fixed in 0.27.6. Decidim es un framework de democracia participativa, escrito en Ruby on Rails, desarrollado originalmente para el sitio web de participación en línea y fuera de línea del gobierno de la ciudad de Barcelona. Si un atacante puede inferir el slug o la URL de un recurso privado o no publicado, y este recurso puede estar incrustado (como un proceso participativo, una asamblea, una propuesta, un resultado, etc.), entonces se podría acceder a algunos datos de este recurso. . • https://github.com/decidim/decidim/commit/1756fa639ef393ca8e8bb16221cab2e2e7875705 https://github.com/decidim/decidim/pull/12528 https://github.com/decidim/decidim/releases/tag/v0.27.6 https://github.com/decidim/decidim/security/advisories/GHSA-qcj6-vxwx-4rqv • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •