GHSA SYNC: 3 brand new advisories

gems/decidim-admin/CVE-2024-27095.yml

@@ -0,0 +1,42 @@
+---
+gem: decidim-admin
+cve: 2024-27095
+ghsa: 529p-jj47-w3m3
+url: https://github.com/decidim/decidim/security/advisories/GHSA-529p-jj47-w3m3
+title: Decidim cross-site scripting (XSS) in the admin panel
+date: 2024-07-10
+description: |
+  ### Impact
+
+  The admin panel is subject to potential XSS attach in case the attacker
+  manages to modify some records being uploaded to the server.
+
+  The attacker is able to change  e.g. to `<svg onload=alert('XSS')>`
+  if they know how to craft these requests themselves. And then enter
+  the returned blob ID to the form inputs manually by modifying the
+  edit page source.
+
+  ### Patches
+
+  Available in versions 0.27.6 and 0.28.1.
+
+  ### Workarounds
+
+  Review the user accounts that have access to the admin panel (i.e.
+  general Administrators, and participatory space's Administrators)
+  and remove access to them if they don't need it.
+
+  ### References
+
+  OWASP ASVS v4.0.3-5.1.3
+cvss_v3: 5.4
+patched_versions:
+  - "~> 0.27.6"
+  - ">= 0.28.1"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-27095
+    - https://github.com/decidim/decidim/security/advisories/GHSA-529p-jj47-w3m3
+    - https://github.com/decidim/decidim/releases/tag/v0.27.6
+    - https://github.com/decidim/decidim/releases/tag/v0.28.1
+    - https://github.com/advisories/GHSA-529p-jj47-w3m3

gems/decidim/CVE-2024-27090.yml

@@ -0,0 +1,34 @@
+---
+gem: decidim
+cve: 2024-27090
+ghsa: qcj6-vxwx-4rqv
+url: https://github.com/decidim/decidim/security/advisories/GHSA-qcj6-vxwx-4rqv
+title: Decidim vulnerable to data disclosure through the embed feature
+date: 2024-07-10
+description: |
+  ### Impact
+  If an attacker can infer the slug or URL of an unpublished or private
+  resource, and this resource can be embedded (such as a Participatory
+  Process, an Assembly, a Proposal, a Result, etc), then some data of
+  this resource could be accessed.
+
+  ### Patches
+
+  Version 0.27.6
+
+  https://github.com/decidim/decidim/commit/1756fa639ef393ca8e8bb16221cab2e2e7875705
+
+  ### Workarounds
+
+  Disallow access through your web server to the URLs finished with `/embed.html`
+cvss_v3: 5.3
+patched_versions:
+  - ">= 0.27.6"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-27090
+    - https://github.com/decidim/decidim/security/advisories/GHSA-qcj6-vxwx-4rqv
+    - https://github.com/decidim/decidim/pull/12528
+    - https://github.com/decidim/decidim/commit/1756fa639ef393ca8e8bb16221cab2e2e7875705
+    - https://github.com/decidim/decidim/releases/tag/v0.27.6
+    - https://github.com/advisories/GHSA-qcj6-vxwx-4rqv

gems/decidim/CVE-2024-32469.yml

@@ -0,0 +1,40 @@
+---
+gem: decidim
+cve: 2024-32469
+ghsa: 7cx8-44pc-xv3q
+url: https://github.com/decidim/decidim/security/advisories/GHSA-7cx8-44pc-xv3q
+title: Decidim cross-site scripting (XSS) in the pagination
+date: 2024-07-10
+description: |
+  ### Impact
+
+  The pagination feature used in searches and filters is subject to
+  potential XSS attack through a malformed URL using the GET parameter
+  `per_page`.
+
+  ### Patches
+
+  Patched in version 0.27.6 and 0.28.1
+
+  ### References
+
+  OWASP ASVS v4.0.3-5.1.3
+
+  ### Credits
+
+  This issue was discovered in a security audit organized by the
+  [mitgestalten Partizipationsbüro](https://partizipationsbuero.at/)
+  and funded by [netidee](https://www.netidee.at/) against Decidim
+  done during April 2024. The security audit was implemented by
+  [AIT Austrian Institute of Technology GmbH](https://www.ait.ac.at/),
+cvss_v3: 7.1
+patched_versions:
+  - "~> 0.27.6"
+  - ">= 0.28.1"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-32469
+    - https://github.com/decidim/decidim/security/advisories/GHSA-7cx8-44pc-xv3q
+    - https://github.com/decidim/decidim/releases/tag/v0.27.6
+    - https://github.com/decidim/decidim/releases/tag/v0.28.1
+    - https://github.com/advisories/GHSA-7cx8-44pc-xv3q