Cross-site Scripting (XSS) Affecting decidim-core package, versions >=0.27.0, <0.27.5
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-RUBY-DECIDIMCORE-6255383
- published 22 Feb 2024
- disclosed 20 Feb 2024
- credit Robert Cantaragiu
Introduced: 20 Feb 2024
CVE-2023-51447 Open this link in a new tabHow to fix?
Upgrade decidim-core to version 0.27.5 or higher.
Overview
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the dynamic file upload feature. An attacker can modify the file names of the records being uploaded to the server, which could lead to the execution of malicious scripts. This vulnerability is present in sections where the user controls the file upload dialogs and has the technical capability to alter the file names through the dynamic upload endpoint. To exploit this vulnerability, the attacker would need to control the session of a particular user, successfully upload a file blob with a malicious file name to the server, and then direct another user to the edit page of the record where the file is attached. Users can craft direct upload requests, controlling the file name stored in the database. The attacker can change the filename, for example, to <svg onload=alert('XSS')>, if they know how to craft these requests. They can then enter the returned blob ID into the form inputs manually by modifying the edit page source.
Workaround
This vulnerability can be mitigated by disabling dynamic uploads for the instance, e.g., from proposals.