Lucene search

Veracode Vulnerability DatabaseVERACODE:41310

HistoryJul 17, 2023 - 8:37 a.m.

Cross-site Scripting (XSS)

2023-07-1708:37:58

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

decidim

cross-site scripting

user-input sanitization

javascript

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

0.001 Low

EPSS

Percentile

43.9%

JSON

decidim is vulnerable to Cross-Site Scripting. The vulnerability is due to a lack of user-input sanitization in external link redirections, which allows an attacker to inject and execute arbitrary JavaScript into the browser.

CPENameOperatorVersion
decidim-corele0.27.2
decidim-corele0.26.5
decidim-corele0.27.2
decidim-corele0.26.5

Name	Operator	Version
decidim-core	le	0.27.2
decidim-core	le	0.26.5
decidim-core	le	0.27.2
decidim-core	le	0.26.5

References

github.com/advisories/GHSA-469h-mqg8-535r

github.com/decidim/decidim/commit/550e86e237f8a4bc48bf5a8f204336a77c8cad4c

github.com/decidim/decidim/commit/7537b44ad0846890786b08cb4d001f45555612ae

github.com/decidim/decidim/releases/tag/v0.26.6

github.com/decidim/decidim/releases/tag/v0.26.7

github.com/decidim/decidim/releases/tag/v0.27.3

github.com/decidim/decidim/security/advisories/GHSA-469h-mqg8-535r

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

0.001 Low

EPSS

Percentile

43.9%

JSON

Related for VERACODE:41310