ADVISORIES
GEM
SEVERITY
CVSS v3.x: 9.0 (Critical)
UNAFFECTED VERSIONS
- < 0.11.0
PATCHED VERSIONS
- ~> 0.10.3
- >= 0.11.2
DESCRIPTION
Vulnerability type: CWE-89: Improper Neutralization of Special
Elements used in an SQL Command ('SQL Injection')
Vendor:
Decidim International Community Environment
Has vendor confirmed: Yes
Attack type: Remote
Impact:
Code Execution Escalation of Privileges Information Disclosure
Affected component:
A raw sql-statement that uses an interpolated variable
exists in the admin_role_actions method of the
papertrail/version-model(app/models/decidim/decidim_awesome/paper_trail_version.rb
).
Attack vector:
An attacker with admin permissions could manipulate database queries in order to read out the database, read files from the filesystem, write files from the filesystem. In the worst case, this could lead to remote code execution on the server.
Description of the vulnerability for use in the CVE
[ℹ] (https://cveproject.github.io/docs/content/key-details-\nphrasing.pdf):
An improper neutralization of special elements used in an SQL
command in the papertrail/version-\nmodel
of the
decidim_awesome-module <= v0.11.1 (> 0.9.0) allows an authenticated
admin user to manipulate sql queries\nto disclose information,
read and write files or execute commands.
Discoverer Credits: Wolfgang Hotwagner
References:
https://pentest.ait.ac.at/security-advisory/decidim-awesome-sql-injection-in-adminaccountability https://portswigger.net/web-security/sql-injection
RELATED
- https://nvd.nist.gov/vuln/detail/CVE-2024-43415
- https://github.com/decidim-ice/decidim-module-decidim_awesome/commit/84374037d34a3ac80dc18406834169c65869f11b
- https://github.com/decidim-ice/decidim-module-decidim_awesome/security/advisories/GHSA-cxwf-qc32-375f
- https://pentest.ait.ac.at/security-advisory/decidim-awesome-sql-injection-in-adminaccountability
- https://github.com/advisories/GHSA-cxwf-qc32-375f