From 2780bcd33ee26cc4577cbc5ec7c59a5be07b2fac Mon Sep 17 00:00:00 2001 From: Al Snow <jasnow@hotmail.com> Date: Tue, 17 Sep 2024 09:19:37 -0400 Subject: [PATCH] GHSA SYNC: 3 brand new advisories --- gems/decidim-admin/CVE-2024-32034.yml | 37 +++++++++++++++++++ gems/decidim/CVE-2024-39910.yml | 39 +++++++++++++++++++++ gems/sidekiq-unique-jobs/CVE-2023-46950.yml | 25 +++++++++++++ 3 files changed, 101 insertions(+) create mode 100644 gems/decidim-admin/CVE-2024-32034.yml create mode 100644 gems/decidim/CVE-2024-39910.yml create mode 100644 gems/sidekiq-unique-jobs/CVE-2023-46950.yml diff --git a/gems/decidim-admin/CVE-2024-32034.yml b/gems/decidim-admin/CVE-2024-32034.yml new file mode 100644 index 0000000000..0448e61989 --- /dev/null +++ b/gems/decidim-admin/CVE-2024-32034.yml @@ -0,0 +1,37 @@ +--- +gem: decidim-admin +cve: 2024-32034 +ghsa: rx9f-5ggv-5rh6 +url: https://github.com/decidim/decidim/security/advisories/GHSA-rx9f-5ggv-5rh6 +title: Decidim::Admin vulnerable to cross-site scripting (XSS) in the admin activity + log +date: 2024-09-16 +description: | + ### Impact + The admin panel is subject to potential XSS attach in case an admin + assigns a valuator to a proposal, or does any other action that + generates an admin activity log where one of the resources has an + XSS crafted. + + ### Patches + N/A + + ### Workarounds + Redirect the pages /admin and /admin/logs to other admin pages + to prevent this access (i.e. `/admin/organization/edit`) + + ### References + OWASP ASVS v4.0.3-5.1.3 +cvss_v3: 6.8 +patched_versions: + - "~> 0.27.7" + - ">= 0.28.2" +related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2024-32034 + - https://github.com/decidim/decidim/security/advisories/GHSA-rx9f-5ggv-5rh6 + - https://github.com/decidim/decidim/commit/23fc8d702a4976727f78617f5e42353d67931645 + - https://github.com/decidim/decidim/commit/9d79f09a2d38c87feb28725670d6cc1f55c22072 + - https://github.com/decidim/decidim/commit/e494235d559be13dd1f8694345e6f6bba762d1c0 + - https://github.com/decidim/decidim/commit/ff755e23814aeb56e9089fc08006a5d3faee47b6 + - https://github.com/advisories/GHSA-rx9f-5ggv-5rh6 diff --git a/gems/decidim/CVE-2024-39910.yml b/gems/decidim/CVE-2024-39910.yml new file mode 100644 index 0000000000..6c94c346dd --- /dev/null +++ b/gems/decidim/CVE-2024-39910.yml @@ -0,0 +1,39 @@ +--- +gem: decidim +cve: 2024-39910 +ghsa: vvqw-fqwx-mqmm +url: https://github.com/decidim/decidim/security/advisories/GHSA-vvqw-fqwx-mqmm +title: Decidim::Admin vulnerable to cross-site scripting (XSS) in + the admin panel with QuillJS WYSWYG editor +date: 2024-09-16 +description: | + ### Impact + The WYSWYG editor QuillJS is subject to potential XSS attach in + case the attacker manages to modify the HTML before being + uploaded to the server. + + The attacker is able to change e.g. to <svg onload=alert('XSS')> + if they know how to craft these requests themselves. + + ### Patches + N/A + + ### Workarounds + Review the user accounts that have access to the admin panel (i.e. + general Administrators, and participatory space's Administrators) + and remove access to them if they don't need it. + + Disable the "Enable rich text editor for participants" setting in + the admin dashboard. + + ### References + OWASP ASVS v4.0.3-5.1.3 +cvss_v3: 5.4 +patched_versions: + - ">= 0.27.7" +related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2024-39910 + - https://github.com/decidim/decidim/security/advisories/GHSA-vvqw-fqwx-mqmm + - https://github.com/decidim/decidim/commit/47adca81cabea898005ec07b130b008f2a2be99f + - https://github.com/advisories/GHSA-vvqw-fqwx-mqmm diff --git a/gems/sidekiq-unique-jobs/CVE-2023-46950.yml b/gems/sidekiq-unique-jobs/CVE-2023-46950.yml new file mode 100644 index 0000000000..b44d439540 --- /dev/null +++ b/gems/sidekiq-unique-jobs/CVE-2023-46950.yml @@ -0,0 +1,25 @@ +--- +gem: sidekiq-unique-jobs +cve: 2023-46950 +ghsa: fhx8-5c23-x7x5 +url: https://github.com/mhenrixon/sidekiq-unique-jobs/security/advisories/GHSA-cmh9-rx85-xj38 +title: Cross Site Scripting vulnerability in Contribsys Sidekiq +date: 2024-03-01 +description: | + Cross Site Scripting vulnerability in Contribsys Sidekiq v.6.5.8 + allows a remote attacker to obtain sensitive information via a + crafted URL to the filter functions. +cvss_v3: 6.1 +patched_versions: + - "~> 7.1.33" + - ">= 8.0.7" +related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2023-46950 + - https://github.com/mhenrixon/sidekiq-unique-jobs/security/advisories/GHSA-cmh9-rx85-xj38 + - https://github.com/mhenrixon/sidekiq-unique-jobs/releases/tag/v8.0.7 + - https://www.mgm-sp.com/cve/sidekiq-unique-jobs-reflected-xss-cve-2023-46950-cve-2023-46951 + - https://github.com/mhenrixon/sidekiq-unique-jobs/pull/829 + - https://github.com/mhenrixon/sidekiq-unique-jobs/commit/cd09ba6108f98973b6649a6149790c3d4502b4cc + - https://github.com/mhenrixon/sidekiq-unique-jobs/commit/ec3afd920c1b55843c72f748a87baac7f8be82ed + - https://github.com/advisories/GHSA-fhx8-5c23-x7x5