-
-
Notifications
You must be signed in to change notification settings - Fork 219
/
CVE-2024-32469.yml
40 lines (33 loc) · 1.21 KB
/
CVE-2024-32469.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
---
gem: decidim
cve: 2024-32469
ghsa: 7cx8-44pc-xv3q
url: https://github.com/decidim/decidim/security/advisories/GHSA-7cx8-44pc-xv3q
title: Decidim cross-site scripting (XSS) in the pagination
date: 2024-07-10
description: |
### Impact
The pagination feature used in searches and filters is subject to
potential XSS attack through a malformed URL using the GET parameter
`per_page`.
### Patches
Patched in version 0.27.6 and 0.28.1
### References
OWASP ASVS v4.0.3-5.1.3
### Credits
This issue was discovered in a security audit organized by the
[mitgestalten Partizipationsbüro](https://partizipationsbuero.at/)
and funded by [netidee](https://www.netidee.at/) against Decidim
done during April 2024. The security audit was implemented by
[AIT Austrian Institute of Technology GmbH](https://www.ait.ac.at/),
cvss_v3: 7.1
patched_versions:
- "~> 0.27.6"
- ">= 0.28.1"
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2024-32469
- https://github.com/decidim/decidim/security/advisories/GHSA-7cx8-44pc-xv3q
- https://github.com/decidim/decidim/releases/tag/v0.27.6
- https://github.com/decidim/decidim/releases/tag/v0.28.1
- https://github.com/advisories/GHSA-7cx8-44pc-xv3q