CVE-2024-45594

HIGH7.7EPSS 0.29%

decidim-meetings Cross-site scripting vulnerability in the online or hybrid meeting embeds

Published: 11/13/2024Modified: 11/13/2024

Description

### Impact The meeting embeds feature used in the online or hybrid meetings is subject to potential XSS attack through a malformed URL. ### Patches Not available ### Workarounds Disable the creation of meetings by participants in the meeting component. ### References OWASP ASVS v4.0.3-5.1.3 ### Credits This issue was discovered in a security audit organized by mitgestalten Partizipationsbüro against Decidim. The security audit was implemented by the Austrian Institute of Technology.

Affected packages (1)

RubyGems/decidim-meetings>= 0.28.0, < 0.28.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N
osv	CVSS 3.1	HIGH7.7	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-45594
PATCHhttps://github.com/decidim/decidim
WEBhttps://github.com/decidim/decidim/security/advisories/GHSA-j4h6-gcj7-7v9v