7.7

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-45594

CVE-2024-45594: decidim-meetings Cross-site scripting vulnerability in the online or hybrid meeting embeds

Impact

The meeting embeds feature used in the online or hybrid meetings is subject to potential XSS attack through a malformed URL.

Patches

Not available

Workarounds

Disable the creation of meetings by participants in the meeting component.

References

OWASP ASVS v4.0.3-5.1.3

Credits

This issue was discovered in a security audit organized by mitgestalten Partizipationsbüro against Decidim. The security audit was implemented by the Austrian Institute of Technology.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-45594

CVE-2024-45594:

7.7

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
decidim-meetings	rubygems	>= 0.28.0, < 0.28.3	0.28.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The XSS vulnerability stems from improper handling of URL parameters in meeting embeds. Since the attack vector is a malformed URL, the root cause likely exists in: 1) The controller handling embed requests (EmbedsController#show) that fails to sanitize input before passing to views 2) The view template that renders embed content without proper output encoding. Ruby on Rails ERB templates are particularly vulnerable to XSS when using <%= %> tags without the h/html_escape helper. The workaround suggestion to disable participant-created meetings further indicates the vulnerability exists in the embed rendering flow that processes user-influenced URLs.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.7

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-45594: decidim-meetings Cross-site scripting vulnerability in the online or hybrid meeting embeds

Impact

Patches

Workarounds

References

Credits

CVE-2024-45594:

7.7

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2024-45594: decidim-meetings Cross-site scripting vulnerability in the online or hybrid meeting embeds

Impact

Patches

Workarounds

References

Credits

Technical Details

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

7.7

7.7

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI