Headline
GHSA-rx9f-5ggv-5rh6: Decidim::Admin vulnerable to cross-site scripting (XSS) in the admin activity log
Impact
The admin panel is subject to potential XSS attach in case an admin assigns a valuator to a proposal, or does any other action that generates an admin activity log where one of the resources has an XSS crafted.
Patches
N/A
Workarounds
Redirect the pages /admin and /admin/logs to other admin pages to prevent this access (i.e. /admin/organization/edit)
References
OWASP ASVS v4.0.3-5.1.3
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-32034
Decidim::Admin vulnerable to cross-site scripting (XSS) in the admin activity log
Moderate severity GitHub Reviewed Published Sep 16, 2024 in decidim/decidim • Updated Sep 16, 2024
Package
Affected versions
<= 0.27.6
>= 0.28.0, <= 0.28.1
Patched versions
0.27.7
0.28.2
Impact
The admin panel is subject to potential XSS attach in case an admin assigns a valuator to a proposal, or does any other action that generates an admin activity log where one of the resources has an XSS crafted.
Patches
N/A
Workarounds
Redirect the pages /admin and /admin/logs to other admin pages to prevent this access (i.e. /admin/organization/edit)
References
OWASP ASVS v4.0.3-5.1.3
References
- GHSA-rx9f-5ggv-5rh6
Published to the GitHub Advisory Database
Sep 16, 2024
Last updated
Sep 16, 2024