From 2780bcd33ee26cc4577cbc5ec7c59a5be07b2fac Mon Sep 17 00:00:00 2001
From: Al Snow <jasnow@hotmail.com>
Date: Tue, 17 Sep 2024 09:19:37 -0400
Subject: [PATCH] GHSA SYNC: 3 brand new advisories

---
 gems/decidim-admin/CVE-2024-32034.yml       | 37 +++++++++++++++++++
 gems/decidim/CVE-2024-39910.yml             | 39 +++++++++++++++++++++
 gems/sidekiq-unique-jobs/CVE-2023-46950.yml | 25 +++++++++++++
 3 files changed, 101 insertions(+)
 create mode 100644 gems/decidim-admin/CVE-2024-32034.yml
 create mode 100644 gems/decidim/CVE-2024-39910.yml
 create mode 100644 gems/sidekiq-unique-jobs/CVE-2023-46950.yml

diff --git a/gems/decidim-admin/CVE-2024-32034.yml b/gems/decidim-admin/CVE-2024-32034.yml
new file mode 100644
index 0000000000..0448e61989
--- /dev/null
+++ b/gems/decidim-admin/CVE-2024-32034.yml
@@ -0,0 +1,37 @@
+---
+gem: decidim-admin
+cve: 2024-32034
+ghsa: rx9f-5ggv-5rh6
+url: https://github.com/decidim/decidim/security/advisories/GHSA-rx9f-5ggv-5rh6
+title: Decidim::Admin vulnerable to cross-site scripting (XSS) in the admin activity
+  log
+date: 2024-09-16
+description: |
+  ### Impact
+  The admin panel is subject to potential XSS attach in case an admin
+  assigns a valuator to a proposal, or does any other action that
+  generates an admin activity log where one of the resources has an
+  XSS crafted.
+
+  ### Patches
+  N/A
+
+  ### Workarounds
+  Redirect the pages /admin and /admin/logs to other admin pages
+  to prevent this access (i.e. `/admin/organization/edit`)
+
+  ### References
+  OWASP ASVS v4.0.3-5.1.3
+cvss_v3: 6.8
+patched_versions:
+  - "~> 0.27.7"
+  - ">= 0.28.2"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-32034
+    - https://github.com/decidim/decidim/security/advisories/GHSA-rx9f-5ggv-5rh6
+    - https://github.com/decidim/decidim/commit/23fc8d702a4976727f78617f5e42353d67931645
+    - https://github.com/decidim/decidim/commit/9d79f09a2d38c87feb28725670d6cc1f55c22072
+    - https://github.com/decidim/decidim/commit/e494235d559be13dd1f8694345e6f6bba762d1c0
+    - https://github.com/decidim/decidim/commit/ff755e23814aeb56e9089fc08006a5d3faee47b6
+    - https://github.com/advisories/GHSA-rx9f-5ggv-5rh6
diff --git a/gems/decidim/CVE-2024-39910.yml b/gems/decidim/CVE-2024-39910.yml
new file mode 100644
index 0000000000..6c94c346dd
--- /dev/null
+++ b/gems/decidim/CVE-2024-39910.yml
@@ -0,0 +1,39 @@
+---
+gem: decidim
+cve: 2024-39910
+ghsa: vvqw-fqwx-mqmm
+url: https://github.com/decidim/decidim/security/advisories/GHSA-vvqw-fqwx-mqmm
+title: Decidim::Admin vulnerable to cross-site scripting (XSS) in
+  the admin panel with QuillJS WYSWYG editor
+date: 2024-09-16
+description: |
+  ### Impact
+  The WYSWYG editor QuillJS is subject to potential XSS attach in
+  case the attacker manages to modify the HTML before being
+  uploaded to the server.
+
+  The attacker is able to change e.g. to <svg onload=alert('XSS')>
+  if they know how to craft these requests themselves.
+
+  ### Patches
+  N/A
+
+  ### Workarounds
+  Review the user accounts that have access to the admin panel (i.e.
+  general Administrators, and participatory space's Administrators)
+  and remove access to them if they don't need it.
+
+  Disable the "Enable rich text editor for participants" setting in
+  the admin dashboard.
+
+  ### References
+  OWASP ASVS v4.0.3-5.1.3
+cvss_v3: 5.4
+patched_versions:
+  - ">= 0.27.7"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-39910
+    - https://github.com/decidim/decidim/security/advisories/GHSA-vvqw-fqwx-mqmm
+    - https://github.com/decidim/decidim/commit/47adca81cabea898005ec07b130b008f2a2be99f
+    - https://github.com/advisories/GHSA-vvqw-fqwx-mqmm
diff --git a/gems/sidekiq-unique-jobs/CVE-2023-46950.yml b/gems/sidekiq-unique-jobs/CVE-2023-46950.yml
new file mode 100644
index 0000000000..b44d439540
--- /dev/null
+++ b/gems/sidekiq-unique-jobs/CVE-2023-46950.yml
@@ -0,0 +1,25 @@
+---
+gem: sidekiq-unique-jobs
+cve: 2023-46950
+ghsa: fhx8-5c23-x7x5
+url: https://github.com/mhenrixon/sidekiq-unique-jobs/security/advisories/GHSA-cmh9-rx85-xj38
+title: Cross Site Scripting vulnerability in Contribsys Sidekiq
+date: 2024-03-01
+description: |
+  Cross Site Scripting vulnerability in Contribsys Sidekiq v.6.5.8
+  allows a remote attacker to obtain sensitive information via a
+  crafted URL to the filter functions.
+cvss_v3: 6.1
+patched_versions:
+  - "~> 7.1.33"
+  - ">= 8.0.7"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-46950
+    - https://github.com/mhenrixon/sidekiq-unique-jobs/security/advisories/GHSA-cmh9-rx85-xj38
+    - https://github.com/mhenrixon/sidekiq-unique-jobs/releases/tag/v8.0.7
+    - https://www.mgm-sp.com/cve/sidekiq-unique-jobs-reflected-xss-cve-2023-46950-cve-2023-46951
+    - https://github.com/mhenrixon/sidekiq-unique-jobs/pull/829
+    - https://github.com/mhenrixon/sidekiq-unique-jobs/commit/cd09ba6108f98973b6649a6149790c3d4502b4cc
+    - https://github.com/mhenrixon/sidekiq-unique-jobs/commit/ec3afd920c1b55843c72f748a87baac7f8be82ed
+    - https://github.com/advisories/GHSA-fhx8-5c23-x7x5