6.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-32034

CVE-2024-32034: Decidim::Admin vulnerable to cross-site scripting (XSS) in the admin activity log

Impact

The admin panel is subject to potential XSS attach in case an admin assigns a valuator to a proposal, or does any other action that generates an admin activity log where one of the resources has an XSS crafted.

Patches

N/A

Workarounds

Redirect the pages /admin and /admin/logs to other admin pages to prevent this access (i.e. /admin/organization/edit)

References

OWASP ASVS v4.0.3-5.1.3

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-32034

CVE-2024-32034:

6.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
decidim-admin	rubygems	<= 0.27.6	0.27.7
decidim-admin	rubygems	>= 0.28.0, <= 0.28.1	0.28.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper neutralization of user-controlled input in admin logs. The critical change in the patch modifies the organization presenter's settings_attributes_mapping to handle 'name' as an i18n field instead of a raw string. This indicates the original implementation failed to properly sanitize translated content when rendering admin activity logs, making it susceptible to XSS through crafted resource names. The direct correlation between the CWE-79 classification and the patched presentation logic confirms this as the vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-32034: Decidim::Admin vulnerable to cross-site scripting (XSS) in the admin activity log

Impact

Patches

Workarounds

References

CVE-2024-32034:

6.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2024-32034: Decidim::Admin vulnerable to cross-site scripting (XSS) in the admin activity log

Impact

Patches

Workarounds

References

Technical Details

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

6.8

6.8

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI