CVE-2024-27095: Decidim cross-site scripting (XSS) in the admin panel

July 10, 2024

The admin panel is subject to potential XSS attach in case the attacker manages to modify some records being uploaded to the server.

The attacker is able to change e.g. to <svg onload=alert('XSS')> if they know how to craft these requests themselves. And then enter the returned blob ID to the form inputs manually by modifying the edit page source.

References

github.com/advisories/GHSA-529p-jj47-w3m3
github.com/decidim/decidim
github.com/decidim/decidim/releases/tag/v0.27.6
github.com/decidim/decidim/releases/tag/v0.28.1
github.com/decidim/decidim/security/advisories/GHSA-529p-jj47-w3m3
nvd.nist.gov/vuln/detail/CVE-2024-27095

Detect and mitigate CVE-2024-27095 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →