CVE-2024-27090: Decidim vulnerable to data disclosure through the embed feature
If an attacker can infer the slug or URL of an unpublished or private resource, and this resource can be embedded (such as a Participatory Process, an Assembly, a Proposal, a Result, etc), then some data of this resource could be accessed.
References
- github.com/advisories/GHSA-qcj6-vxwx-4rqv
- github.com/decidim/decidim
- github.com/decidim/decidim/commit/1756fa639ef393ca8e8bb16221cab2e2e7875705
- github.com/decidim/decidim/pull/12528
- github.com/decidim/decidim/releases/tag/v0.27.6
- github.com/decidim/decidim/security/advisories/GHSA-qcj6-vxwx-4rqv
- nvd.nist.gov/vuln/detail/CVE-2024-27090
Code Behaviors & Features
Detect and mitigate CVE-2024-27090 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →