6.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
6.2 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
10.5%
decidim is vulnerable to Cross-site Scripting (XSS). The vulnerability is due to improper handling of file names during dynamic file uploads. This allows attackers to craft malicious file names that get stored in the database and executed when viewed by other users.
CPE | Name | Operator | Version |
---|---|---|---|
decidim | le | 0.27.4 | |
decidim-core | le | 0.27.4 | |
decidim | le | 0.27.4 | |
decidim-core | le | 0.27.4 |
github.com/advisories/GHSA-9w99-78rj-hmxq
github.com/decidim/decidim/commit/aaf72787cf18beeeb6a771c1f7cbb7654b073423
github.com/decidim/decidim/pull/11612
github.com/decidim/decidim/releases/tag/v0.27.5
github.com/decidim/decidim/releases/tag/v0.28.0
github.com/decidim/decidim/security/advisories/GHSA-9w99-78rj-hmxq
github.com/rails/rails/blob/a967d355c6fee9ad9b8bd115d43bc8b0fc207e7e/activestorage/app/controllers/active_storage/direct_uploads_controller.rb#L14
6.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
6.2 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
10.5%