GHSA-J4H6-GCJ7-7V9V decidim-meetings Cross-site scripting vulnerability in the online or hybrid meeting embeds

Impact The meeting embeds feature used in the online or hybrid meetings is subject to potential XSS attack through a malformed URL. Patches Not available Workarounds Disable the creation of meetings by participants in the meeting component. References OWASP ASVS v4.0.3-5.1.3 Credits This issue wa...

Decidim has a cross-site scripting vulnerability in the version control page

Impact The version control feature used in resources is subject to potential cross-site scripting XSS attack through a malformed URL. Workarounds Not available References OWASP ASVS v4.0.3-5.1.3 Credits This issue was discovered in a security audit organized by Open Source Politics against Decidi...

GHSA-VVQW-FQWX-MQMM Decidim::Admin vulnerable to cross-site scripting (XSS) in the admin panel with QuillJS WYSWYG editor

Impact The WYSWYG editor QuillJS is subject to potential XSS attach in case the attacker manages to modify the HTML before being uploaded to the server. The attacker is able to change e.g. to if they know how to craft these requests themselves. Patches N/A Workarounds Review the user accounts tha...

Decidim::Admin vulnerable to cross-site scripting (XSS) in the admin activity log

Impact The admin panel is subject to potential XSS attach in case an admin assigns a valuator to a proposal, or does any other action that generates an admin activity log where one of the resources has an XSS crafted. Patches N/A Workarounds Redirect the pages /admin and /admin/logs to other admi...

Decidim::Admin vulnerable to cross-site scripting (XSS) in the admin activity log

Impact The admin panel is subject to potential XSS attach in case an admin assigns a valuator to a proposal, or does any other action that generates an admin activity log where one of the resources has an XSS crafted. Patches N/A Workarounds Redirect the pages /admin and /admin/logs to other admi...

Decidim::Admin vulnerable to cross-site scripting (XSS) in the admin panel with QuillJS WYSWYG editor

Impact The WYSWYG editor QuillJS is subject to potential XSS attach in case the attacker manages to modify the HTML before being uploaded to the server. The attacker is able to change e.g. to if they know how to craft these requests themselves. Patches N/A Workarounds Review the user accounts tha...

GHSA-529P-JJ47-W3M3 Decidim cross-site scripting (XSS) in the admin panel

Impact The admin panel is subject to potential XSS attach in case the attacker manages to modify some records being uploaded to the server. The attacker is able to change e.g. to if they know how to craft these requests themselves. And then enter the returned blob ID to the form inputs manually b...

Decidim cross-site scripting (XSS) in the admin panel

Impact The admin panel is subject to potential XSS attach in case the attacker manages to modify some records being uploaded to the server. The attacker is able to change e.g. to if they know how to craft these requests themselves. And then enter the returned blob ID to the form inputs manually b...

Decidim cross-site scripting (XSS) in the pagination

Impact The pagination feature used in searches and filters is subject to potential XSS attack through a malformed URL using the GET parameter perpage. Patches Not available Workarounds Not available References OWASP ASVS v4.0.3-5.1.3 Credits This issue was discovered in a security audit organized...

Decidim cross-site scripting (XSS) in the admin panel

Impact The admin panel is subject to potential XSS attach in case the attacker manages to modify some records being uploaded to the server. The attacker is able to change e.g. to if they know how to craft these requests themselves. And then enter the returned blob ID to the form inputs manually b...

Cross-site scripting (XSS) in the dynamic file uploads

Impact The dynamic file upload feature is subject to potential XSS attach in case the attacker manages to modify the file names of the records being uploaded to the server. This appears in sections where the user controls the file upload dialogs themselves and has the technical knowledge to chang...

GHSA-9W99-78RJ-HMXQ Cross-site scripting (XSS) in the dynamic file uploads

Impact The dynamic file upload feature is subject to potential XSS attach in case the attacker manages to modify the file names of the records being uploaded to the server. This appears in sections where the user controls the file upload dialogs themselves and has the technical knowledge to chang...

GHSA-W3Q8-M492-4PWP Possibility to circumvent the invitation token expiry period

Impact The invites feature allows users to accept the invitation for an unlimited amount of time through the password reset functionality. When using the password reset functionality, the deviseinvitable gem always accepts the pending invitation if the user has been invited as shown in this piece...

Possibility to circumvent the invitation token expiry period

Impact The invites feature allows users to accept the invitation for an unlimited amount of time through the password reset functionality. When using the password reset functionality, the deviseinvitable gem always accepts the pending invitation if the user has been invited as shown in this piece...

Cross-site scripting (XSS) in the dynamic file uploads

Impact The dynamic file upload feature is subject to potential XSS attach in case the attacker manages to modify the file names of the records being uploaded to the server. This appears in sections where the user controls the file upload dialogs themselves and has the technical knowledge to chang...

Possibility to circumvent the invitation token expiry period

Impact The invites feature allows users to accept the invitation for an unlimited amount of time through the password reset functionality. When using the password reset functionality, the deviseinvitable gem always accepts the pending invitation if the user has been invited as shown in this piece...

Cross-site scripting (XSS) in the dynamic file uploads

Impact The dynamic file upload feature is subject to potential XSS attach in case the attacker manages to modify the file names of the records being uploaded to the server. This appears in sections where the user controls the file upload dialogs themselves and has the technical knowledge to chang...

Practical tips on how to use application security testing and testing standards

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest Voice of the Community blog series post, Microsoft Product Marketing Manager Natalia Godyla talks with Daniel Cuthbert, Global Head of Security...

RIPS 3.1: TeamCity, LDAP and JSP Support

Compliance Management Compliance to industry standards is a major topic in todays product development strategies. We revised our compliance tab that now provides an efficient overview of all violations against industry standard requirements that were found during RIPS code analysis. Developers ca...