From 47879ab9ac4f3c523cfbd56199c5f0b6ce2bc977 Mon Sep 17 00:00:00 2001 From: Al Snow <43523+jasnow@users.noreply.github.com> Date: Thu, 11 Jul 2024 20:23:38 +0000 Subject: [PATCH] Updated advisory posts against rubysec/ruby-advisory-db@58766d8 --- .../_posts/2024-07-10-CVE-2024-27090.md | 42 ++++++++++++++++ .../_posts/2024-07-10-CVE-2024-27095.md | 50 +++++++++++++++++++ .../_posts/2024-07-10-CVE-2024-32469.md | 47 +++++++++++++++++ 3 files changed, 139 insertions(+) create mode 100644 advisories/_posts/2024-07-10-CVE-2024-27090.md create mode 100644 advisories/_posts/2024-07-10-CVE-2024-27095.md create mode 100644 advisories/_posts/2024-07-10-CVE-2024-32469.md diff --git a/advisories/_posts/2024-07-10-CVE-2024-27090.md b/advisories/_posts/2024-07-10-CVE-2024-27090.md new file mode 100644 index 0000000..dd1cbc6 --- /dev/null +++ b/advisories/_posts/2024-07-10-CVE-2024-27090.md @@ -0,0 +1,42 @@ +--- +layout: advisory +title: 'CVE-2024-27090 (decidim): Decidim vulnerable to data disclosure through the + embed feature' +comments: false +categories: +- decidim +advisory: + gem: decidim + cve: 2024-27090 + ghsa: qcj6-vxwx-4rqv + url: https://github.com/decidim/decidim/security/advisories/GHSA-qcj6-vxwx-4rqv + title: Decidim vulnerable to data disclosure through the embed feature + date: 2024-07-10 + description: | + ### Impact + If an attacker can infer the slug or URL of an unpublished or private + resource, and this resource can be embedded (such as a Participatory + Process, an Assembly, a Proposal, a Result, etc), then some data of + this resource could be accessed. + + ### Patches + + Version 0.27.6 + + https://github.com/decidim/decidim/commit/1756fa639ef393ca8e8bb16221cab2e2e7875705 + + ### Workarounds + + Disallow access through your web server to the URLs finished with `/embed.html` + cvss_v3: 5.3 + patched_versions: + - ">= 0.27.6" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2024-27090 + - https://github.com/decidim/decidim/security/advisories/GHSA-qcj6-vxwx-4rqv + - https://github.com/decidim/decidim/pull/12528 + - https://github.com/decidim/decidim/commit/1756fa639ef393ca8e8bb16221cab2e2e7875705 + - https://github.com/decidim/decidim/releases/tag/v0.27.6 + - https://github.com/advisories/GHSA-qcj6-vxwx-4rqv +--- diff --git a/advisories/_posts/2024-07-10-CVE-2024-27095.md b/advisories/_posts/2024-07-10-CVE-2024-27095.md new file mode 100644 index 0000000..ddd52c6 --- /dev/null +++ b/advisories/_posts/2024-07-10-CVE-2024-27095.md @@ -0,0 +1,50 @@ +--- +layout: advisory +title: 'CVE-2024-27095 (decidim-admin): Decidim cross-site scripting (XSS) in the + admin panel' +comments: false +categories: +- decidim-admin +advisory: + gem: decidim-admin + cve: 2024-27095 + ghsa: 529p-jj47-w3m3 + url: https://github.com/decidim/decidim/security/advisories/GHSA-529p-jj47-w3m3 + title: Decidim cross-site scripting (XSS) in the admin panel + date: 2024-07-10 + description: | + ### Impact + + The admin panel is subject to potential XSS attach in case the attacker + manages to modify some records being uploaded to the server. + + The attacker is able to change e.g. to `` + if they know how to craft these requests themselves. And then enter + the returned blob ID to the form inputs manually by modifying the + edit page source. + + ### Patches + + Available in versions 0.27.6 and 0.28.1. + + ### Workarounds + + Review the user accounts that have access to the admin panel (i.e. + general Administrators, and participatory space's Administrators) + and remove access to them if they don't need it. + + ### References + + OWASP ASVS v4.0.3-5.1.3 + cvss_v3: 5.4 + patched_versions: + - "~> 0.27.6" + - ">= 0.28.1" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2024-27095 + - https://github.com/decidim/decidim/security/advisories/GHSA-529p-jj47-w3m3 + - https://github.com/decidim/decidim/releases/tag/v0.27.6 + - https://github.com/decidim/decidim/releases/tag/v0.28.1 + - https://github.com/advisories/GHSA-529p-jj47-w3m3 +--- diff --git a/advisories/_posts/2024-07-10-CVE-2024-32469.md b/advisories/_posts/2024-07-10-CVE-2024-32469.md new file mode 100644 index 0000000..df09ec3 --- /dev/null +++ b/advisories/_posts/2024-07-10-CVE-2024-32469.md @@ -0,0 +1,47 @@ +--- +layout: advisory +title: 'CVE-2024-32469 (decidim): Decidim cross-site scripting (XSS) in the pagination' +comments: false +categories: +- decidim +advisory: + gem: decidim + cve: 2024-32469 + ghsa: 7cx8-44pc-xv3q + url: https://github.com/decidim/decidim/security/advisories/GHSA-7cx8-44pc-xv3q + title: Decidim cross-site scripting (XSS) in the pagination + date: 2024-07-10 + description: | + ### Impact + + The pagination feature used in searches and filters is subject to + potential XSS attack through a malformed URL using the GET parameter + `per_page`. + + ### Patches + + Patched in version 0.27.6 and 0.28.1 + + ### References + + OWASP ASVS v4.0.3-5.1.3 + + ### Credits + + This issue was discovered in a security audit organized by the + [mitgestalten Partizipationsbüro](https://partizipationsbuero.at/) + and funded by [netidee](https://www.netidee.at/) against Decidim + done during April 2024. The security audit was implemented by + [AIT Austrian Institute of Technology GmbH](https://www.ait.ac.at/), + cvss_v3: 7.1 + patched_versions: + - "~> 0.27.6" + - ">= 0.28.1" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2024-32469 + - https://github.com/decidim/decidim/security/advisories/GHSA-7cx8-44pc-xv3q + - https://github.com/decidim/decidim/releases/tag/v0.27.6 + - https://github.com/decidim/decidim/releases/tag/v0.28.1 + - https://github.com/advisories/GHSA-7cx8-44pc-xv3q +---