ADVISORIES

• CVE-2024-27090 (NVD)
• GHSA-qcj6-vxwx-4rqv
• Vendor Advisory

GEM

decidim

SEVERITY

CVSS v3.x: 5.3 (Medium)

PATCHED VERSIONS

• >= 0.27.6

DESCRIPTION

Impact

If an attacker can infer the slug or URL of an unpublished or private resource, and this resource can be embedded (such as a Participatory Process, an Assembly, a Proposal, a Result, etc), then some data of this resource could be accessed.

Patches

Version 0.27.6

https://github.com/decidim/decidim/commit/1756fa639ef393ca8e8bb16221cab2e2e7875705

Workarounds

Disallow access through your web server to the URLs finished with /embed.html

RELATED

• https://nvd.nist.gov/vuln/detail/CVE-2024-27090
• https://github.com/decidim/decidim/security/advisories/GHSA-qcj6-vxwx-4rqv
• https://github.com/decidim/decidim/pull/12528
• https://github.com/decidim/decidim/commit/1756fa639ef393ca8e8bb16221cab2e2e7875705
• https://github.com/decidim/decidim/releases/tag/v0.27.6
• https://github.com/advisories/GHSA-qcj6-vxwx-4rqv