CVE-2024-32034 Cross-site scripting (XSS) in the decidim admin activity log

decidim is a Free Open-Source participatory democracy, citizen participation and open government for cities and organizations. The admin panel is subject to potential Cross-site scripting XSS attach in case an admin assigns a valuator to a proposal, or does any other action that generates an admi...

Decidim::Admin vulnerable to cross-site scripting (XSS) in the admin activity log

Impact The admin panel is subject to potential XSS attach in case an admin assigns a valuator to a proposal, or does any other action that generates an admin activity log where one of the resources has an XSS crafted. Patches N/A Workarounds Redirect the pages /admin and /admin/logs to other admi...

Cross Site Scripting

decidim-admin is vulnerable to Cross Site Scripting. The vulnerability is due to lack of input validation while modifying some records being uploaded to the server. An attacker can exploit this by altering records that get uploaded, leading to the execution of malicious scripts in the admin panel...

Operation on a Resource after Expiration or Release

Overview Affected versions of this package are vulnerable to Operation on a Resource after Expiration or Release due to the password reset functionality. An attacker can accept an invitation for an unlimited amount of time by exploiting the lack of validation for the pending invitation's expiry...

PT-2024-13556 · Rubygems +2 · Devise Invitable +3

Name of the Vulnerable Software and Affected Versions: decidim versions 0.0.1.alpha3 through 0.26.8 decidim-admin versions 0.0.1.alpha3 through 0.26.8 decidim-system versions 0.0.1.alpha3 through 0.26.8 devise invitable versions 0.4.rc3 through 2.0.8 Description: The invites feature in the devise...