Cross-site Scripting (XSS) Affecting decidim-core package, versions >=0.27.0, <0.27.5


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.04% (12th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-RUBY-DECIDIMCORE-6255383
  • published 22 Feb 2024
  • disclosed 20 Feb 2024
  • credit Robert Cantaragiu

How to fix?

Upgrade decidim-core to version 0.27.5 or higher.

Overview

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the dynamic file upload feature. An attacker can modify the file names of the records being uploaded to the server, which could lead to the execution of malicious scripts. This vulnerability is present in sections where the user controls the file upload dialogs and has the technical capability to alter the file names through the dynamic upload endpoint. To exploit this vulnerability, the attacker would need to control the session of a particular user, successfully upload a file blob with a malicious file name to the server, and then direct another user to the edit page of the record where the file is attached. Users can craft direct upload requests, controlling the file name stored in the database. The attacker can change the filename, for example, to <svg onload=alert('XSS')>, if they know how to craft these requests. They can then enter the returned blob ID into the form inputs manually by modifying the edit page source.

Workaround

This vulnerability can be mitigated by disabling dynamic uploads for the instance, e.g., from proposals.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
6.3 medium
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    Low
  • User Interaction (UI)
    Required
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    Low
  • Availability (A)
    None