Launch Week Day 1: Announcing Security Design Review
Start for Free
CRITICAL 9.0 RubyGems

Decidim-Awesome has SQL injection in AdminAccountability

GHSA-cxwf-qc32-375f · CVE-2024-43415

Published · Modified

Description

Vulnerability type:

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Vendor:

Decidim International Community Environment

Has vendor confirmed:

Yes

Attack type:

Remote

Impact:

Code Execution
Escalation of Privileges
Information Disclosure

Affected component:

A raw sql-statement that uses an interpolated variable exists in the admin_role_actions method of the
papertrail/version-model(app/models/decidim/decidim_awesome/paper_trail_version.rb).

Attack vector:

An attacker with admin permissions could manipulate database queries in order to read out the database,
read files from the filesystem, write files from the filesystem. In the worst case, this could lead to remote code
execution on the server.
Description of the vulnerability for use in the CVE [ℹ] (https://cveproject.github.io/docs/content/key-details-
phrasing.pdf) : An improper neutralization of special elements used in an SQL command in the papertrail/version- model of the decidim_awesome-module <= v0.11.1 (> 0.9.0) allows an authenticated admin user to manipulate sql queries
to disclose information, read and write files or execute commands.

Discoverer Credits:

Wolfgang Hotwagner

References:

https://pentest.ait.ac.at/security-advisory/decidim-awesome-sql-injection-in-adminaccountability/
https://portswigger.net/web-security/sql-injection

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes