From 152f6340496107ed6ee2834412618933c632a4ac Mon Sep 17 00:00:00 2001 From: Al Snow <43523+jasnow@users.noreply.github.com> Date: Fri, 15 Nov 2024 13:46:40 -0500 Subject: [PATCH] GHSA SYNC: 1 brand new advisory (#837) --------- Co-authored-by: Postmodern --- gems/decidim-meetings/CVE-2024-45594.yml | 39 ++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 gems/decidim-meetings/CVE-2024-45594.yml diff --git a/gems/decidim-meetings/CVE-2024-45594.yml b/gems/decidim-meetings/CVE-2024-45594.yml new file mode 100644 index 0000000000..8b6e00c1d1 --- /dev/null +++ b/gems/decidim-meetings/CVE-2024-45594.yml @@ -0,0 +1,39 @@ +--- +gem: decidim-meetings +cve: 2024-45594 +ghsa: j4h6-gcj7-7v9v +url: https://github.com/decidim/decidim/security/advisories/GHSA-j4h6-gcj7-7v9v +title: decidim-meetings Cross-site scripting vulnerability + in the online or hybrid meeting embeds +date: 2024-11-13 +description: | + ### Impact + + The meeting embeds feature used in the online or hybrid meetings + is subject to potential XSS attack through a malformed URL. + + ### Workarounds + + Disable the creation of meetings by participants in the meeting component. + + ### References + + OWASP ASVS v4.0.3-5.1.3 + + ### Credits + + This issue was discovered in a security audit organized by mitgestalten + Partizipationsbüro against Decidim. The security audit was implemented + by the Austrian Institute of Technology. +cvss_v3: 7.7 +unaffected_versions: + - "< 0.28.0" +patched_versions: + - "~> 0.28.3" + - ">= 0.29.0" +related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2024-45594 + - https://github.com/decidim/decidim/releases/tag/v0.28.3 + - https://github.com/decidim/decidim/security/advisories/GHSA-j4h6-gcj7-7v9v + - https://github.com/advisories/GHSA-j4h6-gcj7-7v9v