Decidim-Awesome has SQL injection in AdminAccountability
Vulnerability type: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vendor: Decidim International Community Environment Has vendor confirmed: Yes Attack type: Remote Impact: Code Execution Escalation of Privileges Information Disclosure Affected component: A raw sql-statement that uses an interpolated variable exists in the admin_role_actions method of the papertrail/version-model(app/models/decidim/decidim_awesome/paper_trail_version.rb). Attack vector: An attacker with admin permissions could manipulate database queries in order to read out the …