CVE-2024-32034

216.73.217.22

· Published 16/09/2024 19:16 · Modified 29/09/2024 00:14

Labels: CVE-2024-32034 2024-09-16 CVE-2024-32034 CWE-79 [email protected]

Essential information

Published: 16/09/2024 19:16
Modified: 29/09/2024 00:14
Author: —
Creator: —
CVSS: 4.8 MEDIUM (v3.1)
CISA KEV: No
CWE: —
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CVSS metrics

Description

decidim is a Free Open-Source participatory democracy, citizen participation and open government for cities and organizations. The admin panel is subject to potential Cross-site scripting (XSS) attach in case an admin assigns a valuator to a proposal, or does any other action that generates an admin activity log where one of the resources has an XSS crafted. This issue has been addressed in release version 0.27.7, 0.28.2, and newer. Users are advised to upgrade. Users unable to upgrade may redirect the pages /admin and /admin/logs to other admin pages to prevent this access (i.e. `/admin/organization/edit`).

NVD status

Status: Analyzed — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
decidim / decidim	`cpe:2.3:a:decidim:decidim::::::ruby::*`
decidim / decidim	`cpe:2.3:a:decidim:decidim:0.28.0:-::::ruby::*`
decidim / decidim	`cpe:2.3:a:decidim:decidim:0.28.1:::::ruby::`