Headline
GHSA-j4h6-gcj7-7v9v: decidim-meetings Cross-site scripting vulnerability in the online or hybrid meeting embeds
Impact
The meeting embeds feature used in the online or hybrid meetings is subject to potential XSS attack through a malformed URL.
Patches
Not available
Workarounds
Disable the creation of meetings by participants in the meeting component.
References
OWASP ASVS v4.0.3-5.1.3
Credits
This issue was discovered in a security audit organized by mitgestalten Partizipationsbüro against Decidim. The security audit was implemented by the Austrian Institute of Technology.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-45594
decidim-meetings Cross-site scripting vulnerability in the online or hybrid meeting embeds
Moderate severity GitHub Reviewed Published Nov 13, 2024 in decidim/decidim • Updated Nov 13, 2024
Package
bundler decidim-meetings (RubyGems)
Affected versions
>= 0.28.0, < 0.28.3
Impact
The meeting embeds feature used in the online or hybrid meetings is subject to potential XSS attack through a malformed URL.
Patches
Not available
Workarounds
Disable the creation of meetings by participants in the meeting component.
References
OWASP ASVS v4.0.3-5.1.3
Credits
This issue was discovered in a security audit organized by mitgestalten Partizipationsbüro against Decidim. The security audit was implemented by the Austrian Institute of Technology.
References
- GHSA-j4h6-gcj7-7v9v
Published to the GitHub Advisory Database
Nov 13, 2024
Last updated
Nov 13, 2024