GHSA SYNC: 2 brand new advisories (#822)

--------- Co-authored-by: Postmodern <[email protected]>
rubysec · Oct 3, 2024 · 7b6de19 · 7b6de19
1 parent 7efe0d9
commit 7b6de19
Showing 1 changed file with 35 additions and 0 deletions.
diff --git a/gems/decidim/CVE-2024-41673.yml b/gems/decidim/CVE-2024-41673.yml
@@ -0,0 +1,35 @@
+---
+gem: decidim
+cve: 2024-41673
+ghsa: cc4g-m3g7-xmw8
+url: https://github.com/decidim/decidim/security/advisories/GHSA-cc4g-m3g7-xmw8
+title: Decidim has a cross-site scripting vulnerability in the version control page
+date: 2024-10-01
+description: |
+  ### Impact
+
+  The version control feature used in resources is subject to potential
+  cross-site scripting (XSS) attack through a malformed URL.
+
+  ### Workarounds
+
+  Not available
+
+  ### References
+
+  OWASP ASVS v4.0.3-5.1.3
+
+  ### Credits
+
+  This issue was discovered in a security audit organized by
+  [Open Source Politics](https://opensourcepolitics.eu/)
+  against Decidim done during July 2025.
+cvss_v3: 7.1
+patched_versions:
+  - ">= 0.27.8"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-41673
+    - https://github.com/decidim/decidim/security/advisories/GHSA-cc4g-m3g7-xmw8
+    - https://github.com/decidim/decidim/commit/8a18c8b1ee85a1b35ee0d8d5893f218695d15637
+    - https://github.com/advisories/GHSA-cc4g-m3g7-xmw8