Miggo Logo
Miggo Vulnerability Database
CVE-2024-41673

CVE-2024-41673: Decidim has a cross-site scripting vulnerability in the version control page

7.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-41673
GHSA ID
GHSA-cc4g-m3g7-xmw8
EPSS Score
0.27072%
CWE
CWE-79
Published
10/1/2024
Updated
10/3/2024
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
decidimrubygems<= 0.27.70.27.8

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key issues: 1) Missing output encoding in the version cell's translation method (i18n) allowed XSS payload execution. 2) Lack of input validation on the version ID parameter enabled script injection through malformed URLs. The patch adds HTML escaping in the i18n method and enforces integer conversion of the ID parameter, addressing both the injection vector and rendering vulnerability. The test cases added in spec files demonstrate protection against exactly this XSS pattern.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** v*rsion *ontrol ***tur* us** in r*sour**s is su*j**t to pot*nti*l *ross-sit* s*riptin* (XSS) *tt**k t*rou** * m*l*orm** URL. ### Work*roun*s Not *v*il**l* ### R***r*n**s OW*SP *SVS v*.*.*-*.*.* ### *r**its T*is issu* w*s *is*ov

Reasoning

T** vuln*r**ility st*ms *rom two k*y issu*s: *) Missin* output *n*o*in* in t** v*rsion **ll's tr*nsl*tion m*t*o* (i**n) *llow** XSS p*ylo** *x**ution. *) L**k o* input v*li**tion on t** v*rsion I* p*r*m*t*r *n**l** s*ript inj**tion t*rou** m*l*orm**