GHSA-7cx8-44pc-xv3q

Suggest an improvement
Source
https://github.com/advisories/GHSA-7cx8-44pc-xv3q
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-7cx8-44pc-xv3q/GHSA-7cx8-44pc-xv3q.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-7cx8-44pc-xv3q
Aliases
  • CVE-2024-32469
Published
2024-07-10T15:43:39Z
Modified
2024-07-11T21:46:08.236839Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N CVSS Calculator
  • 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N CVSS Calculator
Summary
Decidim cross-site scripting (XSS) in the pagination
Details

Impact

The pagination feature used in searches and filters is subject to potential XSS attack through a malformed URL using the GET parameter per_page.

Patches

Patched in version 0.27.6 and 0.28.1

References

OWASP ASVS v4.0.3-5.1.3

Credits

This issue was discovered in a security audit organized by the mitgestalten Partizipationsb├╝ro and funded by netidee against Decidim done during April 2024. The security audit was implemented by AIT Austrian Institute of Technology GmbH,

References

Affected packages

RubyGems / decidim

Package

Name
decidim
Purl
pkg:gem/decidim

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.27.6

Affected versions

0.*

0.0.1.alpha1
0.0.1.alpha2
0.0.1.alpha3
0.0.1.alpha4
0.0.1.alpha5
0.0.1.alpha6
0.0.1.alpha7
0.0.1.alpha8
0.0.1.alpha9
0.0.1
0.0.2
0.0.3
0.0.4
0.0.5
0.0.6
0.0.7
0.0.8.1
0.1.0
0.2.0
0.3.0
0.3.1
0.3.2
0.4.0
0.4.1
0.4.2
0.4.3
0.4.4
0.5.0
0.5.1
0.6.0
0.6.1
0.6.2
0.6.3
0.6.4
0.6.5
0.6.6
0.6.7
0.6.8
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
0.8.0
0.8.1
0.8.2
0.8.3
0.8.4
0.9.0
0.9.1
0.9.2
0.9.3
0.10.0
0.10.1
0.11.0.pre1
0.11.1
0.11.2
0.12.0.pre
0.12.0
0.12.1
0.12.2
0.13.0.pre1
0.13.0
0.13.1
0.14.1
0.14.2
0.14.3
0.14.4
0.15.0
0.15.1
0.15.2
0.16.0
0.16.1
0.17.0
0.17.1
0.17.2
0.18.0
0.18.1
0.19.0
0.19.1
0.20.0
0.20.1
0.21.0
0.22.0
0.23.0
0.23.1.rc1
0.23.1
0.23.2
0.23.3
0.23.4
0.23.5
0.23.6
0.24.0.rc1
0.24.0.rc2
0.24.0
0.24.1
0.24.2
0.24.3
0.25.0.rc1
0.25.0.rc2
0.25.0.rc3
0.25.0.rc4
0.25.0
0.25.1
0.25.2
0.26.0.rc2
0.26.0
0.26.1
0.26.2
0.26.3
0.26.4
0.26.5
0.26.7
0.26.8
0.26.9
0.26.10
0.27.0.rc1
0.27.0.rc2
0.27.0
0.27.1
0.27.2
0.27.3
0.27.4
0.27.5

RubyGems / decidim

Package

Name
decidim
Purl
pkg:gem/decidim

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.28.0.rc1
Fixed
0.28.1

Affected versions

0.*

0.28.0.rc4
0.28.0.rc5
0.28.0