CVE-2024-32034 MEDIUM

CVE-2024-32034: Cross-site scripting (XSS) in the decidim admin activity log

Vendor Decidim
Product decidim
Weakness CWE-79 · XSS
Published September 16, 2024
Last update September 16, 2024

CVSS base score

6.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

decidim is a Free Open-Source participatory democracy, citizen participation and open government for cities and organizations. The admin panel is subject to potential Cross-site scripting (XSS) attach in case an admin assigns a valuator to a proposal, or does any other action that generates an admin activity log where one of the resources has an XSS crafted. This issue has been addressed in release version 0.27.7, 0.28.2, and newer. Users are advised to upgrade. Users unable to upgrade may redirect the pages /admin and /admin/logs to other admin pages to prevent this access (i.e. `/admin/organization/edit`).

Key dates

02Disclosure timeline

September 16, 2024 CVE published
September 16, 2024 Record updated

Related vulnerabilities

04Related CVE