CVE-2024-39910: Decidim::Admin vulnerable to cross-site scripting (XSS) in the admin panel with QuillJS WYSWYG editor
(updated )
The WYSWYG editor QuillJS is subject to potential XSS attach in case the attacker manages to modify the HTML before being uploaded to the server.
The attacker is able to change e.g. to <svg onload=alert(‘XSS’)> if they know how to craft these requests themselves.
References
- github.com/advisories/GHSA-vvqw-fqwx-mqmm
- github.com/decidim/decidim
- github.com/decidim/decidim/commit/47adca81cabea898005ec07b130b008f2a2be99f
- github.com/decidim/decidim/security/advisories/GHSA-vvqw-fqwx-mqmm
- github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2024-39910.yml
- nvd.nist.gov/vuln/detail/CVE-2024-39910
Code Behaviors & Features
Detect and mitigate CVE-2024-39910 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →