Cross-site Scripting (XSS) Affecting decidim-core package, versions >=0.27.0, <0.27.5


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.04% (13th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Cross-site Scripting (XSS) vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-RUBY-DECIDIMCORE-6255383
  • published22 Feb 2024
  • disclosed20 Feb 2024
  • creditRobert Cantaragiu

Introduced: 20 Feb 2024

CVE-2023-51447  (opens in a new tab)
CWE-79  (opens in a new tab)

How to fix?

Upgrade decidim-core to version 0.27.5 or higher.

Overview

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the dynamic file upload feature. An attacker can modify the file names of the records being uploaded to the server, which could lead to the execution of malicious scripts. This vulnerability is present in sections where the user controls the file upload dialogs and has the technical capability to alter the file names through the dynamic upload endpoint. To exploit this vulnerability, the attacker would need to control the session of a particular user, successfully upload a file blob with a malicious file name to the server, and then direct another user to the edit page of the record where the file is attached. Users can craft direct upload requests, controlling the file name stored in the database. The attacker can change the filename, for example, to <svg onload=alert('XSS')>, if they know how to craft these requests. They can then enter the returned blob ID into the form inputs manually by modifying the edit page source.

Workaround

This vulnerability can be mitigated by disabling dynamic uploads for the instance, e.g., from proposals.

CVSS Scores

version 3.1