You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
Decidim::Admin vulnerable to cross-site scripting (XSS) in the admin activity log
Moderate severity
GitHub Reviewed
Published
Sep 16, 2024
in
decidim/decidim
•
Updated Sep 17, 2024
The admin panel is subject to potential XSS attach in case an admin assigns a valuator to a proposal, or does any other action that generates an admin activity log where one of the resources has an XSS crafted.
Patches
N/A
Workarounds
Redirect the pages /admin and /admin/logs to other admin pages to prevent this access (i.e. /admin/organization/edit)
Impact
The admin panel is subject to potential XSS attach in case an admin assigns a valuator to a proposal, or does any other action that generates an admin activity log where one of the resources has an XSS crafted.
Patches
N/A
Workarounds
Redirect the pages /admin and /admin/logs to other admin pages to prevent this access (i.e.
/admin/organization/edit
)References
OWASP ASVS v4.0.3-5.1.3
References