-
-
Notifications
You must be signed in to change notification settings - Fork 220
/
CVE-2024-27090.yml
34 lines (29 loc) · 1.15 KB
/
CVE-2024-27090.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
---
gem: decidim
cve: 2024-27090
ghsa: qcj6-vxwx-4rqv
url: https://github.com/decidim/decidim/security/advisories/GHSA-qcj6-vxwx-4rqv
title: Decidim vulnerable to data disclosure through the embed feature
date: 2024-07-10
description: |
### Impact
If an attacker can infer the slug or URL of an unpublished or private
resource, and this resource can be embedded (such as a Participatory
Process, an Assembly, a Proposal, a Result, etc), then some data of
this resource could be accessed.
### Patches
Version 0.27.6
https://github.com/decidim/decidim/commit/1756fa639ef393ca8e8bb16221cab2e2e7875705
### Workarounds
Disallow access through your web server to the URLs finished with `/embed.html`
cvss_v3: 5.3
patched_versions:
- ">= 0.27.6"
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2024-27090
- https://github.com/decidim/decidim/security/advisories/GHSA-qcj6-vxwx-4rqv
- https://github.com/decidim/decidim/pull/12528
- https://github.com/decidim/decidim/commit/1756fa639ef393ca8e8bb16221cab2e2e7875705
- https://github.com/decidim/decidim/releases/tag/v0.27.6
- https://github.com/advisories/GHSA-qcj6-vxwx-4rqv