Skip to content

Commit 152f634

Browse files
jasnowpostmodern
jasnow
and
postmodern
authored
GHSA SYNC: 1 brand new advisory (#837)
--------- Co-authored-by: Postmodern <[email protected]>
1 parent 047aefc commit 152f634

File tree

1 file changed

+39
-0
lines changed

1 file changed

+39
-0
lines changed

gems/decidim-meetings/CVE-2024-45594.yml

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
---
2+
gem: decidim-meetings
3+
cve: 2024-45594
4+
ghsa: j4h6-gcj7-7v9v
5+
url: https://github.com/decidim/decidim/security/advisories/GHSA-j4h6-gcj7-7v9v
6+
title: decidim-meetings Cross-site scripting vulnerability
7+
in the online or hybrid meeting embeds
8+
date: 2024-11-13
9+
description: |
10+
### Impact
11+
12+
The meeting embeds feature used in the online or hybrid meetings
13+
is subject to potential XSS attack through a malformed URL.
14+
15+
### Workarounds
16+
17+
Disable the creation of meetings by participants in the meeting component.
18+
19+
### References
20+
21+
OWASP ASVS v4.0.3-5.1.3
22+
23+
### Credits
24+
25+
This issue was discovered in a security audit organized by mitgestalten
26+
Partizipationsbüro against Decidim. The security audit was implemented
27+
by the Austrian Institute of Technology.
28+
cvss_v3: 7.7
29+
unaffected_versions:
30+
- "< 0.28.0"
31+
patched_versions:
32+
- "~> 0.28.3"
33+
- ">= 0.29.0"
34+
related:
35+
url:
36+
- https://nvd.nist.gov/vuln/detail/CVE-2024-45594
37+
- https://github.com/decidim/decidim/releases/tag/v0.28.3
38+
- https://github.com/decidim/decidim/security/advisories/GHSA-j4h6-gcj7-7v9v
39+
- https://github.com/advisories/GHSA-j4h6-gcj7-7v9v

0 commit comments

Comments
 (0)