Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1xY2o2LXZ4d3gtNHJxds4AA9wt
Decidim vulnerable to data disclosure through the embed feature
Impact
If an attacker can infer the slug or URL of an unpublished or private resource, and this resource can be embedded (such as a Participatory Process, an Assembly, a Proposal, a Result, etc), then some data of this resource could be accessed.
Patches
version 0.27.6
https://github.com/decidim/decidim/commit/1756fa639ef393ca8e8bb16221cab2e2e7875705
Workarounds
Disallow access through your web server to the URLs finished with /embed.html
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xY2o2LXZ4d3gtNHJxds4AA9wt
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 6 months ago
Updated: 6 months ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Percentage: 0.00045
EPSS Percentile: 0.17541
Identifiers: GHSA-qcj6-vxwx-4rqv, CVE-2024-27090
References:
- https://github.com/decidim/decidim/security/advisories/GHSA-qcj6-vxwx-4rqv
- https://github.com/decidim/decidim/pull/12528
- https://github.com/decidim/decidim/commit/1756fa639ef393ca8e8bb16221cab2e2e7875705
- https://github.com/decidim/decidim/releases/tag/v0.27.6
- https://nvd.nist.gov/vuln/detail/CVE-2024-27090
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2024-27090.yml
- https://github.com/advisories/GHSA-qcj6-vxwx-4rqv
Blast Radius: 13.2
Affected Packages
rubygems:decidim
Dependent packages: 6Dependent repositories: 312
Downloads: 354,925 total
Affected Version Ranges: < 0.27.6
Fixed in: 0.27.6
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.1.0, 0.2.0, 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.6.8, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.10.0, 0.10.1, 0.11.1, 0.11.2, 0.12.0, 0.12.1, 0.12.2, 0.13.0, 0.13.1, 0.14.1, 0.14.2, 0.14.3, 0.14.4, 0.15.0, 0.15.1, 0.15.2, 0.16.0, 0.16.1, 0.17.0, 0.17.1, 0.17.2, 0.18.0, 0.18.1, 0.19.0, 0.19.1, 0.20.0, 0.20.1, 0.21.0, 0.22.0, 0.23.0, 0.23.1, 0.23.2, 0.23.3, 0.23.4, 0.23.5, 0.23.6, 0.24.0, 0.24.1, 0.24.2, 0.24.3, 0.25.0, 0.25.1, 0.25.2, 0.26.0, 0.26.1, 0.26.2, 0.26.3, 0.26.4, 0.26.5, 0.26.6, 0.26.7, 0.26.8, 0.26.9, 0.26.10, 0.27.0, 0.27.1, 0.27.2, 0.27.3, 0.27.4, 0.27.5
All unaffected versions: 0.27.6, 0.27.7, 0.27.8, 0.27.9, 0.28.0, 0.28.1, 0.28.2, 0.28.3, 0.28.4, 0.29.0, 0.29.1