Decidim vulnerable to data disclosure through the embed feature

GHSA-qcj6-vxwx-4rqv · CVE-2024-27090

Published Jul 10, 2024 · Modified Jul 11, 2024

Description

Impact

If an attacker can infer the slug or URL of an unpublished or private resource, and this resource can be embedded (such as a Participatory Process, an Assembly, a Proposal, a Result, etc), then some data of this resource could be accessed.

Patches

version 0.27.6

https://github.com/decidim/decidim/commit/1756fa639ef393ca8e8bb16221cab2e2e7875705

Workarounds

Disallow access through your web server to the URLs finished with /embed.html

References

WEB https://github.com/decidim/decidim/security/advisories/GHSA-qcj6-vxwx-4rqv
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-27090
WEB https://github.com/decidim/decidim/pull/12528
WEB https://github.com/decidim/decidim/commit/1756fa639ef393ca8e8bb16221cab2e2e7875705
PACKAGE https://github.com/decidim/decidim
WEB https://github.com/decidim/decidim/releases/tag/v0.27.6
WEB https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2024-27090.yml

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes