GHSA-qcj6-vxwx-4rqv
Suggest an improvement- Source
- https://github.com/advisories/GHSA-qcj6-vxwx-4rqv
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-qcj6-vxwx-4rqv/GHSA-qcj6-vxwx-4rqv.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-qcj6-vxwx-4rqv
- Aliases
- Published
- 2024-07-10T15:10:57Z
- Modified
- 2024-07-11T21:45:48.725039Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Decidim vulnerable to data disclosure through the embed feature
- Details
-
Impact
If an attacker can infer the slug or URL of an unpublished or private resource, and this resource can be embedded (such as a Participatory Process, an Assembly, a Proposal, a Result, etc), then some data of this resource could be accessed.
Patches
version 0.27.6
https://github.com/decidim/decidim/commit/1756fa639ef393ca8e8bb16221cab2e2e7875705
Workarounds
Disallow access through your web server to the URLs finished with
/embed.html - Database specific
{ "nvd_published_at": "2024-07-10T19:15:10Z", "cwe_ids": [ "CWE-200" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-07-10T15:10:57Z" }- References
-
- https://github.com/decidim/decidim/security/advisories/GHSA-qcj6-vxwx-4rqv
- https://nvd.nist.gov/vuln/detail/CVE-2024-27090
- https://github.com/decidim/decidim/pull/12528
- https://github.com/decidim/decidim/commit/1756fa639ef393ca8e8bb16221cab2e2e7875705
- https://github.com/decidim/decidim
- https://github.com/decidim/decidim/releases/tag/v0.27.6
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2024-27090.yml
Affected packages
RubyGems / decidim
Package
- Name
- decidim
- Purl
- pkg:gem/decidim
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.27.6
Affected versions
0.*
0.0.1.alpha1
0.0.1.alpha2
0.0.1.alpha3
0.0.1.alpha4
0.0.1.alpha5
0.0.1.alpha6
0.0.1.alpha7
0.0.1.alpha8
0.0.1.alpha9
0.0.1
0.0.2
0.0.3
0.0.4
0.0.5
0.0.6
0.0.7
0.0.8.1
0.1.0
0.2.0
0.3.0
0.3.1
0.3.2
0.4.0
0.4.1
0.4.2
0.4.3
0.4.4
0.5.0
0.5.1
0.6.0
0.6.1
0.6.2
0.6.3
0.6.4
0.6.5
0.6.6
0.6.7
0.6.8
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
0.8.0
0.8.1
0.8.2
0.8.3
0.8.4
0.9.0
0.9.1
0.9.2
0.9.3
0.10.0
0.10.1
0.11.0.pre1
0.11.1
0.11.2
0.12.0.pre
0.12.0
0.12.1
0.12.2
0.13.0.pre1
0.13.0
0.13.1
0.14.1
0.14.2
0.14.3
0.14.4
0.15.0
0.15.1
0.15.2
0.16.0
0.16.1
0.17.0
0.17.1
0.17.2
0.18.0
0.18.1
0.19.0
0.19.1
0.20.0
0.20.1
0.21.0
0.22.0
0.23.0
0.23.1.rc1
0.23.1
0.23.2
0.23.3
0.23.4
0.23.5
0.23.6
0.24.0.rc1
0.24.0.rc2
0.24.0
0.24.1
0.24.2
0.24.3
0.25.0.rc1
0.25.0.rc2
0.25.0.rc3
0.25.0.rc4
0.25.0
0.25.1
0.25.2
0.26.0.rc2
0.26.0
0.26.1
0.26.2
0.26.3
0.26.4
0.26.5
0.26.7
0.26.8
0.26.9
0.26.10
0.27.0.rc1
0.27.0.rc2
0.27.0
0.27.1
0.27.2
0.27.3
0.27.4
0.27.5