CVE-2024-45594 (decidim-meetings): decidim-meetings Cross-site scripting vulnerability in the online or hybrid meeting embeds

decidim-meetings Cross-site scripting vulnerability in the online or hybrid meeting embeds

Published: November 13, 2024

SECURITY IDENTIFIERS

CVE: CVE-2024-45594 (NVD)
GHSA: GHSA-j4h6-gcj7-7v9v
Vendor Advisory: https://github.com/decidim/decidim/security/advisories/GHSA-j4h6-gcj7-7v9v

GEM

decidim-meetings

SEVERITY

CVSS v3.x: 7.7 (High)

UNAFFECTED VERSIONS

< 0.28.0

PATCHED VERSIONS

~> 0.28.3 >= 0.29.0

DESCRIPTION

Impact

The meeting embeds feature used in the online or hybrid meetings is subject to potential XSS attack through a malformed URL.

Workarounds

Disable the creation of meetings by participants in the meeting component.

References

OWASP ASVS v4.0.3-5.1.3

Credits

This issue was discovered in a security audit organized by mitgestalten Partizipationsbüro against Decidim. The security audit was implemented by the Austrian Institute of Technology.

https://nvd.nist.gov/vuln/detail/CVE-2024-45594
https://github.com/decidim/decidim/releases/tag/v0.28.3
https://github.com/decidim/decidim/security/advisories/GHSA-j4h6-gcj7-7v9v
https://github.com/advisories/GHSA-j4h6-gcj7-7v9v

RubySec