Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01NjUyLTkycjktM2Z4Oc4AA0m4
Decidim Cross-site Scripting vulnerability in the processes filter
Impact
The processes filter feature is susceptible to Cross-site scripting. This allows a remote attacker to execute JavaScript code in the context of a currently logged-in user. An attacker could use this vulnerability to make other users endorse or support proposals they have no intention of supporting or endorsing.
Patches
The problem was patched in v0.27.3 and v0.26.7
Permalink: https://github.com/advisories/GHSA-5652-92r9-3fx9JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01NjUyLTkycjktM2Z4Oc4AA0m4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 10 months ago
Updated: 5 months ago
CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Identifiers: GHSA-5652-92r9-3fx9, CVE-2023-34089
References:
- https://github.com/decidim/decidim/security/advisories/GHSA-5652-92r9-3fx9
- https://nvd.nist.gov/vuln/detail/CVE-2023-34089
- https://github.com/decidim/decidim/releases/tag/v0.27.3
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim-core/CVE-2023-34089.yml
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2023-34089.yml
- https://github.com/decidim/decidim/releases/tag/v0.26.7
- https://github.com/decidim/decidim/releases/tag/v0.26.6
- https://github.com/advisories/GHSA-5652-92r9-3fx9
Blast Radius: 20.2
Affected Packages
rubygems:decidim-core
Dependent packages: 65Dependent repositories: 311
Downloads: 305,511 total
Affected Version Ranges: >= 0.14.0, < 0.26.7, >= 0.27.0, < 0.27.3
Fixed in: 0.26.7, 0.27.3
All affected versions: 0.14.1, 0.14.2, 0.14.3, 0.14.4, 0.15.0, 0.15.1, 0.15.2, 0.16.0, 0.16.1, 0.17.0, 0.17.1, 0.17.2, 0.18.0, 0.18.1, 0.19.0, 0.19.1, 0.20.0, 0.20.1, 0.21.0, 0.22.0, 0.23.0, 0.23.1, 0.23.2, 0.23.3, 0.23.4, 0.23.5, 0.23.6, 0.24.0, 0.24.1, 0.24.2, 0.24.3, 0.25.0, 0.25.1, 0.25.2, 0.26.0, 0.26.1, 0.26.2, 0.26.3, 0.26.4, 0.26.5, 0.26.6, 0.27.0, 0.27.1, 0.27.2
All unaffected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.5, 0.0.6, 0.0.7, 0.1.0, 0.2.0, 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.6.8, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.10.0, 0.10.1, 0.11.1, 0.11.2, 0.12.0, 0.12.1, 0.12.2, 0.13.0, 0.13.1, 0.26.7, 0.26.8, 0.26.9, 0.26.10, 0.27.3, 0.27.4, 0.27.5, 0.27.6, 0.28.0, 0.28.1
rubygems:decidim
Dependent packages: 6Dependent repositories: 312
Downloads: 305,136 total
Affected Version Ranges: >= 0.14.0, < 0.26.7, >= 0.27.0, < 0.27.3
Fixed in: 0.26.7, 0.27.3
All affected versions: 0.14.1, 0.14.2, 0.14.3, 0.14.4, 0.15.0, 0.15.1, 0.15.2, 0.16.0, 0.16.1, 0.17.0, 0.17.1, 0.17.2, 0.18.0, 0.18.1, 0.19.0, 0.19.1, 0.20.0, 0.20.1, 0.21.0, 0.22.0, 0.23.0, 0.23.1, 0.23.2, 0.23.3, 0.23.4, 0.23.5, 0.23.6, 0.24.0, 0.24.1, 0.24.2, 0.24.3, 0.25.0, 0.25.1, 0.25.2, 0.26.0, 0.26.1, 0.26.2, 0.26.3, 0.26.4, 0.26.5, 0.26.6, 0.27.0, 0.27.1, 0.27.2
All unaffected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.1.0, 0.2.0, 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.6.8, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.10.0, 0.10.1, 0.11.1, 0.11.2, 0.12.0, 0.12.1, 0.12.2, 0.13.0, 0.13.1, 0.26.7, 0.26.8, 0.26.9, 0.26.10, 0.27.3, 0.27.4, 0.27.5, 0.27.6, 0.28.0, 0.28.1