CVE-2024-32034

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-32034
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-32034.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-32034
Aliases
Published
2024-09-16T18:38:09.562Z
Modified
2025-12-05T04:19:43.105968Z
Severity
  • 6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N CVSS Calculator
Summary
Cross-site scripting (XSS) in the decidim admin activity log
Details

decidim is a Free Open-Source participatory democracy, citizen participation and open government for cities and organizations. The admin panel is subject to potential Cross-site scripting (XSS) attach in case an admin assigns a valuator to a proposal, or does any other action that generates an admin activity log where one of the resources has an XSS crafted. This issue has been addressed in release version 0.27.7, 0.28.2, and newer. Users are advised to upgrade. Users unable to upgrade may redirect the pages /admin and /admin/logs to other admin pages to prevent this access (i.e. /admin/organization/edit).

Database specific 
{
    "cwe_ids": [
        "CWE-79"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/32xxx/CVE-2024-32034.json"
}
References

Affected packages

Git / github.com/decidim/decidim

Affected ranges

Type
GIT
Repo
https://github.com/decidim/decidim
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
e5964b87fc976e57182c3047872f4308cef860ff
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.27.7"
        }
    ]
}
Type
GIT
Repo
https://github.com/decidim/decidim
Events
Introduced
94ca626c877af4a41ebbfe14b786ef3961bc66ba
Fixed
d89bccc5962740075ee47661125521c22e30c8ba
Database specific 
{
    "versions": [
        {
            "introduced": "0.28.0"
        },
        {
            "fixed": "0.28.2"
        }
    ]
}

Affected versions

v0.*

v0.0.1
v0.0.1.alpha
v0.0.1.alpha1
v0.0.1.alpha2
v0.0.1.alpha3
v0.0.1.alpha4
v0.0.1.alpha5
v0.0.1.alpha6
v0.0.1.alpha7
v0.0.1.alpha8
v0.0.1.alpha9
v0.0.2
v0.0.3
v0.0.4
v0.0.5
v0.0.6
v0.0.7
v0.0.8
v0.0.8.1
v0.1.0
v0.2.0
v0.20.0
v0.27.0
v0.27.0.rc1
v0.27.1
v0.27.2
v0.27.3
v0.27.4
v0.27.5
v0.27.6
v0.28.0
v0.28.1
v0.3.0
v0.4.0
v0.5.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-32034.json"