Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-vvqw-fqwx-mqmm

GitHub Security Advisory

Decidim::Admin vulnerable to cross-site scripting (XSS) in the admin panel with QuillJS WYSWYG editor

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

### Impact

The WYSWYG editor QuillJS is subject to potential XSS attach in case the attacker manages to modify the HTML before being uploaded to the server.

The attacker is able to change e.g. to <svg onload=alert('XSS')> if they know how to craft these requests themselves.

### Patches

N/A

### Workarounds

Review the user accounts that have access to the admin panel (i.e. general Administrators, and participatory space's Administrators) and remove access to them if they don't need it.

Disable the "Enable rich text editor for participants" setting in the admin dashboard

### References

OWASP ASVS v4.0.3-5.1.3

Affected Packages

RubyGems decidim
Affected versions: 0 (fixed in 0.27.7)

Related CVEs

CVE-2024-39910

Key Information

GHSA ID
GHSA-vvqw-fqwx-mqmm
Published
September 16, 2024 5:17 PM
Last Modified
September 17, 2024 10:27 PM
CVSS Score
5.0 /10
Primary Ecosystem
RubyGems
Primary Package
decidim
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 12, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.