CVE-2023-51447

Decidim is a participatory democracy framework. Starting in version 0.27.0 and prior to versions 0.27.5 and 0.28.0, the dynamic file upload feature is subject to potential cross-site scripting attacks in case the attacker manages to modify the file names of the records being uploaded to the server. This appears in sections where the user controls the file upload dialogs themselves and has the technical knowledge to change the file names through the dynamic upload endpoint. Therefore I believe it would require the attacker to control the whole session of the particular user but in any case, this needs to be fixed. Successful exploit of this vulnerability would require the user to have successfully uploaded a file blob to the server with a malicious file name and then have the possibility to direct the other user to the edit page of the record where the attachment is attached. The users are able to craft the direct upload requests themselves controlling the file name that gets stored to the database. The attacker is able to change the filename e.g. to `<svg onload=alert('XSS')>` if they know how to craft these requests themselves. And then enter the returned blob ID to the form inputs manually by modifying the edit page source. Versions 0.27.5 and 0.28.0 contain a patch for this issue. As a workaround, disable dynamic uploads for the instance, e.g. from proposals.

CVSS v3 6.3 MEDIUM

6.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/decidim/decidim/commit/aaf72787cf18beeeb6a771c1f7cbb7654b073423	Patch
https://github.com/decidim/decidim/pull/11612	Issue Tracking
https://github.com/decidim/decidim/releases/tag/v0.27.5	Release Notes
https://github.com/decidim/decidim/releases/tag/v0.28.0	Release Notes
https://github.com/decidim/decidim/security/advisories/GHSA-9w99-78rj-hmxq	Mitigation Patch Vendor Advisory
https://github.com/rails/rails/blob/a967d355c6fee9ad9b8bd115d43bc8b0fc207e7e/activestorage/app/controllers/active_storage/direct_uploads_controller.rb#L14	Product
https://github.com/decidim/decidim/commit/aaf72787cf18beeeb6a771c1f7cbb7654b073423	Patch
https://github.com/decidim/decidim/pull/11612	Issue Tracking
https://github.com/decidim/decidim/releases/tag/v0.27.5	Release Notes
https://github.com/decidim/decidim/releases/tag/v0.28.0	Release Notes
https://github.com/decidim/decidim/security/advisories/GHSA-9w99-78rj-hmxq	Mitigation Patch Vendor Advisory
https://github.com/rails/rails/blob/a967d355c6fee9ad9b8bd115d43bc8b0fc207e7e/activestorage/app/controllers/active_storage/direct_uploads_controller.rb#L14	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:decidim:decidim:*:*:*:*:*:ruby:*:*

History

16 Dec 2024, 22:43

Type	Values Removed	Values Added
References	~~() https://github.com/decidim/decidim/commit/aaf72787cf18beeeb6a771c1f7cbb7654b073423 -~~	() https://github.com/decidim/decidim/commit/aaf72787cf18beeeb6a771c1f7cbb7654b073423 - Patch
References	~~() https://github.com/decidim/decidim/pull/11612 -~~	() https://github.com/decidim/decidim/pull/11612 - Issue Tracking
References	~~() https://github.com/decidim/decidim/releases/tag/v0.27.5 -~~	() https://github.com/decidim/decidim/releases/tag/v0.27.5 - Release Notes
References	~~() https://github.com/decidim/decidim/releases/tag/v0.28.0 -~~	() https://github.com/decidim/decidim/releases/tag/v0.28.0 - Release Notes
References	~~() https://github.com/decidim/decidim/security/advisories/GHSA-9w99-78rj-hmxq -~~	() https://github.com/decidim/decidim/security/advisories/GHSA-9w99-78rj-hmxq - Mitigation, Patch, Vendor Advisory
References	~~() https://github.com/rails/rails/blob/a967d355c6fee9ad9b8bd115d43bc8b0fc207e7e/activestorage/app/controllers/active_storage/direct_uploads_controller.rb#L14 -~~	() https://github.com/rails/rails/blob/a967d355c6fee9ad9b8bd115d43bc8b0fc207e7e/activestorage/app/controllers/active_storage/direct_uploads_controller.rb#L14 - Product
CPE		cpe:2.3:a:decidim:decidim::::::ruby::*
First Time		Decidim Decidim decidim

21 Nov 2024, 08:38

Type	Values Removed	Values Added
Summary		(es) Decidim es un framework de democracia participativa. A partir de la versión 0.27.0 y antes de las versiones 0.27.5 y 0.28.0, la función de carga dinámica de archivos está sujeta a posibles ataques de Cross-site scripting en caso de que el atacante logre modificar los nombres de los archivos de los registros que se cargan en el servidor. Esto aparece en secciones donde el usuario controla los cuadros de diálogo de carga de archivos y tiene el conocimiento técnico para cambiar los nombres de los archivos a través del endpoint de carga dinámica. Por lo tanto, creo que requeriría que el atacante controlara toda la sesión del usuario en particular, pero en cualquier caso, esto debe solucionarse. La explotación exitosa de esta vulnerabilidad requeriría que el usuario haya subido exitosamente un blob de archivos al servidor con un nombre de archivo malicioso y luego tenga la posibilidad de dirigir al otro usuario a la página de edición del registro donde se adjunta el archivo adjunto. Los usuarios pueden crear ellos mismos las solicitudes de carga directa controlando el nombre del archivo que se almacena en la base de datos. El atacante puede cambiar el nombre del archivo, por ejemplo, a `` si sabe cómo elaborar estas solicitudes por sí mismo. Y luego ingrese el ID del blob devuelto en las entradas del formulario manualmente modificando la fuente de la página de edición. Las versiones 0.27.5 y 0.28.0 contienen un parche para este problema. Como workaround, deshabilite las cargas dinámicas para la instancia, por ejemplo, desde propuestas.
References	~~() https://github.com/decidim/decidim/commit/aaf72787cf18beeeb6a771c1f7cbb7654b073423 -~~	() https://github.com/decidim/decidim/commit/aaf72787cf18beeeb6a771c1f7cbb7654b073423 -
References	~~() https://github.com/decidim/decidim/pull/11612 -~~	() https://github.com/decidim/decidim/pull/11612 -
References	~~() https://github.com/decidim/decidim/releases/tag/v0.27.5 -~~	() https://github.com/decidim/decidim/releases/tag/v0.27.5 -
References	~~() https://github.com/decidim/decidim/releases/tag/v0.28.0 -~~	() https://github.com/decidim/decidim/releases/tag/v0.28.0 -
References	~~() https://github.com/decidim/decidim/security/advisories/GHSA-9w99-78rj-hmxq -~~	() https://github.com/decidim/decidim/security/advisories/GHSA-9w99-78rj-hmxq -
References	~~() https://github.com/rails/rails/blob/a967d355c6fee9ad9b8bd115d43bc8b0fc207e7e/activestorage/app/controllers/active_storage/direct_uploads_controller.rb#L14 -~~	() https://github.com/rails/rails/blob/a967d355c6fee9ad9b8bd115d43bc8b0fc207e7e/activestorage/app/controllers/active_storage/direct_uploads_controller.rb#L14 -

20 Feb 2024, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-02-20 18:15

Updated : 2024-12-16 22:43

NVD link : CVE-2023-51447

Mitre link : CVE-2023-51447

CVE.ORG link : CVE-2023-51447

JSON object : View

Products Affected

decidim

decidim

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

6.3 /10