CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41673 – Decidim has a cross-site scripting vulnerability in the version control page
https://notcve.org/view.php?id=CVE-2024-41673
Decidim is a participatory democracy framework. The version control feature used in resources is subject to potential XSS attack through a malformed URL. This vulnerability is fixed in 0.27.8. • https://github.com/decidim/decidim/commit/8a18c8b1ee85a1b35ee0d8d5893f218695d15637 https://github.com/decidim/decidim/security/advisories/GHSA-cc4g-m3g7-xmw8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39910 – Cross-site scripting (XSS) in the decidim admin panel with QuillJS WYSWYG editor
https://notcve.org/view.php?id=CVE-2024-39910
decidim is a Free Open-Source participatory democracy, citizen participation and open government for cities and organizations. The WYSWYG editor QuillJS is subject to potential XSS attach in case the attacker manages to modify the HTML before being uploaded to the server. The attacker is able to change e.g. to <svg onload=alert('XSS')> if they know how to craft these requests themselves. This issue has been addressed in release version 0.27.7. All users are advised to upgrade. • https://github.com/decidim/decidim/security/advisories/GHSA-vvqw-fqwx-mqmm https://github.com/decidim/decidim/commit/47adca81cabea898005ec07b130b008f2a2be99f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-32034 – Cross-site scripting (XSS) in the decidim admin activity log
https://notcve.org/view.php?id=CVE-2024-32034
decidim is a Free Open-Source participatory democracy, citizen participation and open government for cities and organizations. The admin panel is subject to potential Cross-site scripting (XSS) attach in case an admin assigns a valuator to a proposal, or does any other action that generates an admin activity log where one of the resources has an XSS crafted. This issue has been addressed in release version 0.27.7, 0.28.2, and newer. Users are advised to upgrade. Users unable to upgrade may redirect the pages /admin and /admin/logs to other admin pages to prevent this access (i.e. • https://github.com/decidim/decidim/security/advisories/GHSA-rx9f-5ggv-5rh6 https://github.com/decidim/decidim/commit/23fc8d702a4976727f78617f5e42353d67931645 https://github.com/decidim/decidim/commit/9d79f09a2d38c87feb28725670d6cc1f55c22072 https://github.com/decidim/decidim/commit/e494235d559be13dd1f8694345e6f6bba762d1c0 https://github.com/decidim/decidim/commit/ff755e23814aeb56e9089fc08006a5d3faee47b6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32469 – Decidim has cross-site scripting (XSS) in the pagination
https://notcve.org/view.php?id=CVE-2024-32469
Decidim is a participatory democracy framework. The pagination feature used in searches and filters is subject to potential XSS attack through a malformed URL using the GET parameter `per_page`. This vulnerability is fixed in 0.27.6 and 0.28.1. Decidim es un framework de democracia participativa. La función de paginación utilizada en búsquedas y filtros está sujeta a posibles ataques XSS a través de una URL con formato incorrecto utilizando el parámetro GET `per_page`. • https://github.com/decidim/decidim/releases/tag/v0.27.6 https://github.com/decidim/decidim/releases/tag/v0.28.1 https://github.com/decidim/decidim/security/advisories/GHSA-7cx8-44pc-xv3q • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27095 – Decidim cross-site scripting (XSS) in the admin panel
https://notcve.org/view.php?id=CVE-2024-27095
Decidim is a participatory democracy framework. The admin panel is subject to potential XSS attach in case the attacker manages to modify some records being uploaded to the server. This vulnerability is fixed in 0.27.6 and 0.28.1. Decidim es un framework de democracia participativa. El panel de administración está sujeto a un posible adjunto XSS en caso de que el atacante logre modificar algunos registros que se cargan en el servidor. • https://github.com/decidim/decidim/releases/tag/v0.27.6 https://github.com/decidim/decidim/releases/tag/v0.28.1 https://github.com/decidim/decidim/security/advisories/GHSA-529p-jj47-w3m3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •