Skip to content

Commit

Permalink
GHSA SYNC: 1 brand new advisory (rubysec#837)
Browse files Browse the repository at this point in the history 
---------

Co-authored-by: Postmodern <[email protected]>
  • Loading branch information
@jasnow @postmodern
jasnow and postmodern authored Nov 15, 2024
1 parent 047aefc commit 152f634
Showing 1 changed file with 39 additions and 0 deletions.
39 changes: 39 additions & 0 deletions gems/decidim-meetings/CVE-2024-45594.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
---
gem: decidim-meetings
cve: 2024-45594
ghsa: j4h6-gcj7-7v9v
url: https://github.com/decidim/decidim/security/advisories/GHSA-j4h6-gcj7-7v9v
title: decidim-meetings Cross-site scripting vulnerability
in the online or hybrid meeting embeds
date: 2024-11-13
description: |
### Impact
The meeting embeds feature used in the online or hybrid meetings
is subject to potential XSS attack through a malformed URL.
### Workarounds
Disable the creation of meetings by participants in the meeting component.
### References
OWASP ASVS v4.0.3-5.1.3
### Credits
This issue was discovered in a security audit organized by mitgestalten
Partizipationsbüro against Decidim. The security audit was implemented
by the Austrian Institute of Technology.
cvss_v3: 7.7
unaffected_versions:
- "< 0.28.0"
patched_versions:
- "~> 0.28.3"
- ">= 0.29.0"
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2024-45594
- https://github.com/decidim/decidim/releases/tag/v0.28.3
- https://github.com/decidim/decidim/security/advisories/GHSA-j4h6-gcj7-7v9v
- https://github.com/advisories/GHSA-j4h6-gcj7-7v9v

0 comments on commit 152f634

Please sign in to comment.