{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-39910", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-07-02T19:37:18.601Z", "datePublished": "2024-09-16T18:38:11.423Z", "dateUpdated": "2024-09-16T19:58:06.959Z"}, "containers": {"cna": {"title": "Cross-site scripting (XSS) in the decidim admin panel with QuillJS WYSWYG editor", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/decidim/decidim/security/advisories/GHSA-vvqw-fqwx-mqmm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/decidim/decidim/security/advisories/GHSA-vvqw-fqwx-mqmm"}, {"name": "https://github.com/decidim/decidim/commit/47adca81cabea898005ec07b130b008f2a2be99f", "tags": ["x_refsource_MISC"], "url": "https://github.com/decidim/decidim/commit/47adca81cabea898005ec07b130b008f2a2be99f"}], "affected": [{"vendor": "decidim", "product": "decidim", "versions": [{"version": "< 0.27.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-09-16T18:38:11.423Z"}, "descriptions": [{"lang": "en", "value": "decidim is a Free Open-Source participatory democracy, citizen participation and open government for cities and organizations. The WYSWYG editor QuillJS is subject to potential XSS attach in case the attacker manages to modify the HTML before being uploaded to the server. The attacker is able to change e.g. to <svg onload=alert('XSS')> if they know how to craft these requests themselves. This issue has been addressed in release version 0.27.7. All users are advised to upgrade. Users unable to upgrade should review the user accounts that have access to the admin panel (i.e. general Administrators, and participatory space's Administrators) and remove access to them if they don't need it. Disable the \"Enable rich text editor for participants\" setting in the admin dashboard"}], "source": {"advisory": "GHSA-vvqw-fqwx-mqmm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-16T19:57:51.999340Z", "id": "CVE-2024-39910", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-16T19:58:06.959Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-39910", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-16T19:57:51.999340Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-16T19:58:00.773Z"}}], "cna": {"title": "Cross-site scripting (XSS) in the decidim admin panel with QuillJS WYSWYG editor", "source": {"advisory": "GHSA-vvqw-fqwx-mqmm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "decidim", "product": "decidim", "versions": [{"status": "affected", "version": "< 0.27.7"}]}], "references": [{"url": "https://github.com/decidim/decidim/security/advisories/GHSA-vvqw-fqwx-mqmm", "name": "https://github.com/decidim/decidim/security/advisories/GHSA-vvqw-fqwx-mqmm", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/decidim/decidim/commit/47adca81cabea898005ec07b130b008f2a2be99f", "name": "https://github.com/decidim/decidim/commit/47adca81cabea898005ec07b130b008f2a2be99f", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "decidim is a Free Open-Source participatory democracy, citizen participation and open government for cities and organizations. The WYSWYG editor QuillJS is subject to potential XSS attach in case the attacker manages to modify the HTML before being uploaded to the server. The attacker is able to change e.g. to <svg onload=alert('XSS')> if they know how to craft these requests themselves. This issue has been addressed in release version 0.27.7. All users are advised to upgrade. Users unable to upgrade should review the user accounts that have access to the admin panel (i.e. general Administrators, and participatory space's Administrators) and remove access to them if they don't need it. Disable the \"Enable rich text editor for participants\" setting in the admin dashboard"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-09-16T18:38:11.423Z"}}}, "cveMetadata": {"cveId": "CVE-2024-39910", "state": "PUBLISHED", "dateUpdated": "2024-09-16T19:58:06.959Z", "dateReserved": "2024-07-02T19:37:18.601Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-09-16T18:38:11.423Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:decidim:decidim:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "6C6546E7-9340-4C15-BEF9-9075508E1C35", "versionEndExcluding": "0.27.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "decidim is a Free Open-Source participatory democracy, citizen participation and open government for cities and organizations. The WYSWYG editor QuillJS is subject to potential XSS attach in case the attacker manages to modify the HTML before being uploaded to the server. The attacker is able to change e.g. to <svg onload=alert('XSS')> if they know how to craft these requests themselves. This issue has been addressed in release version 0.27.7. All users are advised to upgrade. Users unable to upgrade should review the user accounts that have access to the admin panel (i.e. general Administrators, and participatory space's Administrators) and remove access to them if they don't need it. Disable the \"Enable rich text editor for participants\" setting in the admin dashboard"}, {"lang": "es", "value": "Decidim es una democracia participativa, participaci\u00f3n ciudadana y gobierno abierto de c\u00f3digo abierto y gratuito para ciudades y organizaciones. El editor WYSWYG QuillJS est\u00e1 sujeto a posibles ataques XSS en caso de que el atacante logre modificar el HTML antes de subirlo al servidor. El atacante puede cambiar, por ejemplo, a si sabe c\u00f3mo crear estas solicitudes por s\u00ed mismo. Este problema se ha solucionado en la versi\u00f3n 0.27.7. Se recomienda a todos los usuarios que actualicen. Los usuarios que no puedan actualizar deben revisar las cuentas de usuario que tienen acceso al panel de administraci\u00f3n (es decir, administradores generales y administradores del espacio participativo) y eliminar el acceso a ellas si no lo necesitan. Desactive la opci\u00f3n \"Habilitar editor de texto enriquecido para participantes\" en el panel de administraci\u00f3n"}], "id": "CVE-2024-39910", "lastModified": "2024-09-29T00:33:03.740", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-09-16T19:16:10.540", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/decidim/decidim/commit/47adca81cabea898005ec07b130b008f2a2be99f"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/decidim/decidim/security/advisories/GHSA-vvqw-fqwx-mqmm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}