{"id":"GHSA-vvqw-fqwx-mqmm","summary":" Decidim::Admin vulnerable to cross-site scripting (XSS) in the admin panel with QuillJS WYSWYG editor","details":"### Impact\n\nThe WYSWYG editor QuillJS is subject to potential XSS attach in case the attacker manages to modify the HTML before being uploaded to the server.\n\nThe attacker is able to change e.g. to \u003csvg onload=alert('XSS')\u003e if they know how to craft these requests themselves. \n\n### Patches\n\nN/A\n\n### Workarounds\n\nReview the user accounts that have access to the admin panel (i.e. general Administrators, and participatory space's Administrators) and remove access to them if they don't need it. \n\nDisable the \"Enable rich text editor for participants\" setting in the admin dashboard\n\n### References\n\nOWASP ASVS v4.0.3-5.1.3\n","aliases":["CVE-2024-39910"],"modified":"2024-09-17T22:34:04.027787Z","published":"2024-09-16T17:17:54Z","database_specific":{"github_reviewed":true,"github_reviewed_at":"2024-09-16T17:17:54Z","nvd_published_at":"2024-09-16T19:16:10Z","cwe_ids":["CWE-79"],"severity":"MODERATE"},"references":[{"type":"WEB","url":"https://github.com/decidim/decidim/security/advisories/GHSA-vvqw-fqwx-mqmm"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39910"},{"type":"WEB","url":"https://github.com/decidim/decidim/commit/47adca81cabea898005ec07b130b008f2a2be99f"},{"type":"PACKAGE","url":"https://github.com/decidim/decidim"},{"type":"WEB","url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2024-39910.yml"}],"affected":[{"package":{"name":"decidim","ecosystem":"RubyGems","purl":"pkg:gem/decidim"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.27.7"}]}],"versions":["0.0.1","0.0.1.alpha1","0.0.1.alpha2","0.0.1.alpha3","0.0.1.alpha4","0.0.1.alpha5","0.0.1.alpha6","0.0.1.alpha7","0.0.1.alpha8","0.0.1.alpha9","0.0.2","0.0.3","0.0.4","0.0.5","0.0.6","0.0.7","0.0.8.1","0.1.0","0.10.0","0.10.1","0.11.0.pre1","0.11.1","0.11.2","0.12.0","0.12.0.pre","0.12.1","0.12.2","0.13.0","0.13.0.pre1","0.13.1","0.14.1","0.14.2","0.14.3","0.14.4","0.15.0","0.15.1","0.15.2","0.16.0","0.16.1","0.17.0","0.17.1","0.17.2","0.18.0","0.18.1","0.19.0","0.19.1","0.2.0","0.20.0","0.20.1","0.21.0","0.22.0","0.23.0","0.23.1","0.23.1.rc1","0.23.2","0.23.3","0.23.4","0.23.5","0.23.6","0.24.0","0.24.0.rc1","0.24.0.rc2","0.24.1","0.24.2","0.24.3","0.25.0","0.25.0.rc1","0.25.0.rc2","0.25.0.rc3","0.25.0.rc4","0.25.1","0.25.2","0.26.0","0.26.0.rc2","0.26.1","0.26.10","0.26.2","0.26.3","0.26.4","0.26.5","0.26.7","0.26.8","0.26.9","0.27.0","0.27.0.rc1","0.27.0.rc2","0.27.1","0.27.2","0.27.3","0.27.4","0.27.5","0.27.6","0.3.0","0.3.1","0.3.2","0.4.0","0.4.1","0.4.2","0.4.3","0.4.4","0.5.0","0.5.1","0.6.0","0.6.1","0.6.2","0.6.3","0.6.4","0.6.5","0.6.6","0.6.7","0.6.8","0.7.0","0.7.1","0.7.2","0.7.3","0.7.4","0.8.0","0.8.1","0.8.2","0.8.3","0.8.4","0.9.0","0.9.1","0.9.2","0.9.3"],"database_specific":{"last_known_affected_version_range":"\u003c= 0.27.6","source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-vvqw-fqwx-mqmm/GHSA-vvqw-fqwx-mqmm.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N"},{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"}]}