5.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-27095

GHSA ID

GHSA-529p-jj47-w3m3

EPSS Score

0.3183%

CWE

CWE-79

Published

7/10/2024

Updated

7/31/2024

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-27095

CVE-2024-27095:
Decidim cross-site scripting (XSS) in the admin panel

Impact

The admin panel is subject to potential XSS attach in case the attacker manages to modify some records being uploaded to the server.

The attacker is able to change e.g. to <svg onload=alert('XSS')> if they know how to craft these requests themselves. And then enter the returned blob ID to the form inputs manually by modifying the edit page source.

Patches

Available in versions 0.27.6 and 0.28.1.

Workarounds

Review the user accounts that have access to the admin panel (i.e. general Administrators, and participatory space's Administrators) and remove access to them if they don't need it.

References

OWASP ASVS v4.0.3-5.1.3

(GitHub Advisory)

5.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-27095

GHSA ID

GHSA-529p-jj47-w3m3

EPSS Score

0.3183%

CWE

CWE-79

Published

7/10/2024

Updated

7/31/2024

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
decidim-admin	rubygems	< 0.27.6	0.27.6
decidim-admin	rubygems	>= 0.28.0.rc1, < 0.28.1	0.28.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability involves XSS via manipulated blob IDs in admin panel forms. The patch notes for v0.27.6 explicitly mention a backport to 'Allow passing a blob object to AssetRouter::Storage,' suggesting this component was central to the fix. CWE-79 aligns with improper input neutralization during web page generation, which would occur if AssetRouter::Storage processed untrusted blob IDs without sanitization. The admin panel's reliance on this function to render blobs (e.g., SVG files with embedded scripts) would directly enable the described attack vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** **min p*n*l is su*j**t to pot*nti*l XSS *tt*** in **s* t** *tt**k*r m*n***s to mo*i*y som* r**or*s **in* uplo**** to t** s*rv*r. T** *tt**k*r is **l* to ***n** *.*. to `<sv* onlo**=*l*rt('XSS')>` i* t**y know *ow to *r**t t**s* r*qu

Reasoning

T** vuln*r**ility involv*s XSS vi* m*nipul*t** *lo* I*s in **min p*n*l *orms. T** p*t** not*s *or v*.**.* *xpli*itly m*ntion * ***kport to '*llow p*ssin* * *lo* o*j**t to `*ss*tRout*r::Stor***`,' su***stin* t*is *ompon*nt w*s **ntr*l to t** *ix. *W*-

5.4

Basic Information

Concerned about an active attack path?

CVE-2024-27095: Decidim cross-site scripting (XSS) in the admin panel

Impact

Patches

Workarounds

References

5.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-27095:
Decidim cross-site scripting (XSS) in the admin panel

Vulnerability Intelligence
Miggo AI