Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-qcj6-vxwx-4rqv

GitHub Security Advisory

Decidim vulnerable to data disclosure through the embed feature

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

### Impact

If an attacker can infer the slug or URL of an unpublished or private resource, and this resource can be embedded (such as a Participatory Process, an Assembly, a Proposal, a Result, etc), then some data of this resource could be accessed.

### Patches

version 0.27.6

https://github.com/decidim/decidim/commit/1756fa639ef393ca8e8bb16221cab2e2e7875705

### Workarounds

Disallow access through your web server to the URLs finished with `/embed.html`

Affected Packages

RubyGems decidim
Affected versions: 0 (fixed in 0.27.6)

Related CVEs

CVE-2024-27090

Key Information

GHSA ID
GHSA-qcj6-vxwx-4rqv
Published
July 10, 2024 3:10 PM
Last Modified
July 11, 2024 9:36 PM
CVSS Score
5.0 /10
Primary Ecosystem
RubyGems
Primary Package
decidim
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 13, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.