Updated advisory posts against rubysec/ruby-advisory-db@2780bcd

jasnow · RubySec CI · commit bfc745bcf96e · 2024-09-17T18:44:10.000Z
diff --git a/advisories/_posts/2024-03-01-CVE-2023-46950.md b/advisories/_posts/2024-03-01-CVE-2023-46950.md
@@ -0,0 +1,33 @@
+---
+layout: advisory
+title: 'CVE-2023-46950 (sidekiq-unique-jobs): Cross Site Scripting vulnerability in
+  Contribsys Sidekiq'
+comments: false
+categories:
+- sidekiq-unique-jobs
+advisory:
+  gem: sidekiq-unique-jobs
+  cve: 2023-46950
+  ghsa: fhx8-5c23-x7x5
+  url: https://github.com/mhenrixon/sidekiq-unique-jobs/security/advisories/GHSA-cmh9-rx85-xj38
+  title: Cross Site Scripting vulnerability in Contribsys Sidekiq
+  date: 2024-03-01
+  description: |
+    Cross Site Scripting vulnerability in Contribsys Sidekiq v.6.5.8
+    allows a remote attacker to obtain sensitive information via a
+    crafted URL to the filter functions.
+  cvss_v3: 6.1
+  patched_versions:
+  - "~> 7.1.33"
+  - ">= 8.0.7"
+  related:
+    url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-46950
+    - https://github.com/mhenrixon/sidekiq-unique-jobs/security/advisories/GHSA-cmh9-rx85-xj38
+    - https://github.com/mhenrixon/sidekiq-unique-jobs/releases/tag/v8.0.7
+    - https://www.mgm-sp.com/cve/sidekiq-unique-jobs-reflected-xss-cve-2023-46950-cve-2023-46951
+    - https://github.com/mhenrixon/sidekiq-unique-jobs/pull/829
+    - https://github.com/mhenrixon/sidekiq-unique-jobs/commit/cd09ba6108f98973b6649a6149790c3d4502b4cc
+    - https://github.com/mhenrixon/sidekiq-unique-jobs/commit/ec3afd920c1b55843c72f748a87baac7f8be82ed
+    - https://github.com/advisories/GHSA-fhx8-5c23-x7x5
+---
diff --git a/advisories/_posts/2024-09-16-CVE-2024-32034.md b/advisories/_posts/2024-09-16-CVE-2024-32034.md
@@ -0,0 +1,45 @@
+---
+layout: advisory
+title: 'CVE-2024-32034 (decidim-admin): Decidim::Admin vulnerable to cross-site scripting
+  (XSS) in the admin activity log'
+comments: false
+categories:
+- decidim-admin
+advisory:
+  gem: decidim-admin
+  cve: 2024-32034
+  ghsa: rx9f-5ggv-5rh6
+  url: https://github.com/decidim/decidim/security/advisories/GHSA-rx9f-5ggv-5rh6
+  title: Decidim::Admin vulnerable to cross-site scripting (XSS) in the admin activity
+    log
+  date: 2024-09-16
+  description: |
+    ### Impact
+    The admin panel is subject to potential XSS attach in case an admin
+    assigns a valuator to a proposal, or does any other action that
+    generates an admin activity log where one of the resources has an
+    XSS crafted.
+
+    ### Patches
+    N/A
+
+    ### Workarounds
+    Redirect the pages /admin and /admin/logs to other admin pages
+    to prevent this access (i.e. `/admin/organization/edit`)
+
+    ### References
+    OWASP ASVS v4.0.3-5.1.3
+  cvss_v3: 6.8
+  patched_versions:
+  - "~> 0.27.7"
+  - ">= 0.28.2"
+  related:
+    url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-32034
+    - https://github.com/decidim/decidim/security/advisories/GHSA-rx9f-5ggv-5rh6
+    - https://github.com/decidim/decidim/commit/23fc8d702a4976727f78617f5e42353d67931645
+    - https://github.com/decidim/decidim/commit/9d79f09a2d38c87feb28725670d6cc1f55c22072
+    - https://github.com/decidim/decidim/commit/e494235d559be13dd1f8694345e6f6bba762d1c0
+    - https://github.com/decidim/decidim/commit/ff755e23814aeb56e9089fc08006a5d3faee47b6
+    - https://github.com/advisories/GHSA-rx9f-5ggv-5rh6
+---
diff --git a/advisories/_posts/2024-09-16-CVE-2024-39910.md b/advisories/_posts/2024-09-16-CVE-2024-39910.md
@@ -0,0 +1,47 @@
+---
+layout: advisory
+title: 'CVE-2024-39910 (decidim): Decidim::Admin vulnerable to cross-site scripting
+  (XSS) in the admin panel with QuillJS WYSWYG editor'
+comments: false
+categories:
+- decidim
+advisory:
+  gem: decidim
+  cve: 2024-39910
+  ghsa: vvqw-fqwx-mqmm
+  url: https://github.com/decidim/decidim/security/advisories/GHSA-vvqw-fqwx-mqmm
+  title: Decidim::Admin vulnerable to cross-site scripting (XSS) in the admin panel
+    with QuillJS WYSWYG editor
+  date: 2024-09-16
+  description: |
+    ### Impact
+    The WYSWYG editor QuillJS is subject to potential XSS attach in
+    case the attacker manages to modify the HTML before being
+    uploaded to the server.
+
+    The attacker is able to change e.g. to <svg onload=alert('XSS')>
+    if they know how to craft these requests themselves.
+
+    ### Patches
+    N/A
+
+    ### Workarounds
+    Review the user accounts that have access to the admin panel (i.e.
+    general Administrators, and participatory space's Administrators)
+    and remove access to them if they don't need it.
+
+    Disable the "Enable rich text editor for participants" setting in
+    the admin dashboard.
+
+    ### References
+    OWASP ASVS v4.0.3-5.1.3
+  cvss_v3: 5.4
+  patched_versions:
+  - ">= 0.27.7"
+  related:
+    url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-39910
+    - https://github.com/decidim/decidim/security/advisories/GHSA-vvqw-fqwx-mqmm
+    - https://github.com/decidim/decidim/commit/47adca81cabea898005ec07b130b008f2a2be99f
+    - https://github.com/advisories/GHSA-vvqw-fqwx-mqmm
+---
