Updated advisory posts against rubysec/ruby-advisory-db@152f634

jasnow · RubySec CI · commit 96ee92ac3df3 · 2024-11-15T18:47:31.000Z
diff --git a/advisories/_posts/2024-11-13-CVE-2024-45594.md b/advisories/_posts/2024-11-13-CVE-2024-45594.md
@@ -0,0 +1,47 @@
+---
+layout: advisory
+title: 'CVE-2024-45594 (decidim-meetings): decidim-meetings Cross-site scripting vulnerability
+  in the online or hybrid meeting embeds'
+comments: false
+categories:
+- decidim-meetings
+advisory:
+  gem: decidim-meetings
+  cve: 2024-45594
+  ghsa: j4h6-gcj7-7v9v
+  url: https://github.com/decidim/decidim/security/advisories/GHSA-j4h6-gcj7-7v9v
+  title: decidim-meetings Cross-site scripting vulnerability in the online or hybrid
+    meeting embeds
+  date: 2024-11-13
+  description: |
+    ### Impact
+
+    The meeting embeds feature used in the online or hybrid meetings
+    is subject to potential XSS attack through a malformed URL.
+
+    ### Workarounds
+
+    Disable the creation of meetings by participants in the meeting component.
+
+    ### References
+
+    OWASP ASVS v4.0.3-5.1.3
+
+    ### Credits
+
+    This issue was discovered in a security audit organized by mitgestalten
+    Partizipationsbüro against Decidim. The security audit was implemented
+    by the Austrian Institute of Technology.
+  cvss_v3: 7.7
+  unaffected_versions:
+  - "< 0.28.0"
+  patched_versions:
+  - "~> 0.28.3"
+  - ">= 0.29.0"
+  related:
+    url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-45594
+    - https://github.com/decidim/decidim/releases/tag/v0.28.3
+    - https://github.com/decidim/decidim/security/advisories/GHSA-j4h6-gcj7-7v9v
+    - https://github.com/advisories/GHSA-j4h6-gcj7-7v9v
+---
