-
-
Notifications
You must be signed in to change notification settings - Fork 221
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
3 changed files
with
101 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| --- | ||
| gem: decidim-admin | ||
| cve: 2024-32034 | ||
| ghsa: rx9f-5ggv-5rh6 | ||
| url: https://github.com/decidim/decidim/security/advisories/GHSA-rx9f-5ggv-5rh6 | ||
| title: Decidim::Admin vulnerable to cross-site scripting (XSS) in the admin activity | ||
| log | ||
| date: 2024-09-16 | ||
| description: | | ||
| ### Impact | ||
| The admin panel is subject to potential XSS attach in case an admin | ||
| assigns a valuator to a proposal, or does any other action that | ||
| generates an admin activity log where one of the resources has an | ||
| XSS crafted. | ||
| ### Patches | ||
| N/A | ||
| ### Workarounds | ||
| Redirect the pages /admin and /admin/logs to other admin pages | ||
| to prevent this access (i.e. `/admin/organization/edit`) | ||
| ### References | ||
| OWASP ASVS v4.0.3-5.1.3 | ||
| cvss_v3: 6.8 | ||
| patched_versions: | ||
| - "~> 0.27.7" | ||
| - ">= 0.28.2" | ||
| related: | ||
| url: | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2024-32034 | ||
| - https://github.com/decidim/decidim/security/advisories/GHSA-rx9f-5ggv-5rh6 | ||
| - https://github.com/decidim/decidim/commit/23fc8d702a4976727f78617f5e42353d67931645 | ||
| - https://github.com/decidim/decidim/commit/9d79f09a2d38c87feb28725670d6cc1f55c22072 | ||
| - https://github.com/decidim/decidim/commit/e494235d559be13dd1f8694345e6f6bba762d1c0 | ||
| - https://github.com/decidim/decidim/commit/ff755e23814aeb56e9089fc08006a5d3faee47b6 | ||
| - https://github.com/advisories/GHSA-rx9f-5ggv-5rh6 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,39 @@ | ||
| --- | ||
| gem: decidim | ||
| cve: 2024-39910 | ||
| ghsa: vvqw-fqwx-mqmm | ||
| url: https://github.com/decidim/decidim/security/advisories/GHSA-vvqw-fqwx-mqmm | ||
| title: Decidim::Admin vulnerable to cross-site scripting (XSS) in | ||
| the admin panel with QuillJS WYSWYG editor | ||
| date: 2024-09-16 | ||
| description: | | ||
| ### Impact | ||
| The WYSWYG editor QuillJS is subject to potential XSS attach in | ||
| case the attacker manages to modify the HTML before being | ||
| uploaded to the server. | ||
| The attacker is able to change e.g. to <svg onload=alert('XSS')> | ||
| if they know how to craft these requests themselves. | ||
| ### Patches | ||
| N/A | ||
| ### Workarounds | ||
| Review the user accounts that have access to the admin panel (i.e. | ||
| general Administrators, and participatory space's Administrators) | ||
| and remove access to them if they don't need it. | ||
| Disable the "Enable rich text editor for participants" setting in | ||
| the admin dashboard. | ||
| ### References | ||
| OWASP ASVS v4.0.3-5.1.3 | ||
| cvss_v3: 5.4 | ||
| patched_versions: | ||
| - ">= 0.27.7" | ||
| related: | ||
| url: | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2024-39910 | ||
| - https://github.com/decidim/decidim/security/advisories/GHSA-vvqw-fqwx-mqmm | ||
| - https://github.com/decidim/decidim/commit/47adca81cabea898005ec07b130b008f2a2be99f | ||
| - https://github.com/advisories/GHSA-vvqw-fqwx-mqmm |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| --- | ||
| gem: sidekiq-unique-jobs | ||
| cve: 2023-46950 | ||
| ghsa: fhx8-5c23-x7x5 | ||
| url: https://github.com/mhenrixon/sidekiq-unique-jobs/security/advisories/GHSA-cmh9-rx85-xj38 | ||
| title: Cross Site Scripting vulnerability in Contribsys Sidekiq | ||
| date: 2024-03-01 | ||
| description: | | ||
| Cross Site Scripting vulnerability in Contribsys Sidekiq v.6.5.8 | ||
| allows a remote attacker to obtain sensitive information via a | ||
| crafted URL to the filter functions. | ||
| cvss_v3: 6.1 | ||
| patched_versions: | ||
| - "~> 7.1.33" | ||
| - ">= 8.0.7" | ||
| related: | ||
| url: | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2023-46950 | ||
| - https://github.com/mhenrixon/sidekiq-unique-jobs/security/advisories/GHSA-cmh9-rx85-xj38 | ||
| - https://github.com/mhenrixon/sidekiq-unique-jobs/releases/tag/v8.0.7 | ||
| - https://www.mgm-sp.com/cve/sidekiq-unique-jobs-reflected-xss-cve-2023-46950-cve-2023-46951 | ||
| - https://github.com/mhenrixon/sidekiq-unique-jobs/pull/829 | ||
| - https://github.com/mhenrixon/sidekiq-unique-jobs/commit/cd09ba6108f98973b6649a6149790c3d4502b4cc | ||
| - https://github.com/mhenrixon/sidekiq-unique-jobs/commit/ec3afd920c1b55843c72f748a87baac7f8be82ed | ||
| - https://github.com/advisories/GHSA-fhx8-5c23-x7x5 |