{
  "id": "CVE-2023-51447",
  "sourceIdentifier": "security-advisories@github.com",
  "published": "2024-02-20T18:15:50.547",
  "lastModified": "2024-02-20T19:50:53.960",
  "vulnStatus": "Awaiting Analysis",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Decidim is a participatory democracy framework. Starting in version 0.27.0 and prior to versions 0.27.5 and 0.28.0, the dynamic file upload feature is subject to potential cross-site scripting attacks in case the attacker manages to modify the file names of the records being uploaded to the server. This appears in sections where the user controls the file upload dialogs themselves and has the technical knowledge to change the file names through the dynamic upload endpoint. Therefore I believe it would require the attacker to control the whole session of the particular user but in any case, this needs to be fixed. Successful exploit of this vulnerability would require the user to have successfully uploaded a file blob to the server with a malicious file name and then have the possibility to direct the other user to the edit page of the record where the attachment is attached. The users are able to craft the direct upload requests themselves controlling the file name that gets stored to the database. The attacker is able to change the filename e.g. to `<svg onload=alert('XSS')>` if they know how to craft these requests themselves. And then enter the returned blob ID to the form inputs manually by modifying the edit page source. Versions 0.27.5 and 0.28.0 contain a patch for this issue. As a workaround, disable dynamic uploads for the instance, e.g. from proposals."
    },
    {
      "lang": "es",
      "value": "Decidim es un framework de democracia participativa. A partir de la versi\u00f3n 0.27.0 y antes de las versiones 0.27.5 y 0.28.0, la funci\u00f3n de carga din\u00e1mica de archivos est\u00e1 sujeta a posibles ataques de Cross-site scripting en caso de que el atacante logre modificar los nombres de los archivos de los registros que se cargan en el servidor. Esto aparece en secciones donde el usuario controla los cuadros de di\u00e1logo de carga de archivos y tiene el conocimiento t\u00e9cnico para cambiar los nombres de los archivos a trav\u00e9s del endpoint de carga din\u00e1mica. Por lo tanto, creo que requerir\u00eda que el atacante controlara toda la sesi\u00f3n del usuario en particular, pero en cualquier caso, esto debe solucionarse. La explotaci\u00f3n exitosa de esta vulnerabilidad requerir\u00eda que el usuario haya subido exitosamente un blob de archivos al servidor con un nombre de archivo malicioso y luego tenga la posibilidad de dirigir al otro usuario a la p\u00e1gina de edici\u00f3n del registro donde se adjunta el archivo adjunto. Los usuarios pueden crear ellos mismos las solicitudes de carga directa controlando el nombre del archivo que se almacena en la base de datos. El atacante puede cambiar el nombre del archivo, por ejemplo, a `` si sabe c\u00f3mo elaborar estas solicitudes por s\u00ed mismo. Y luego ingrese el ID del blob devuelto en las entradas del formulario manualmente modificando la fuente de la p\u00e1gina de edici\u00f3n. Las versiones 0.27.5 y 0.28.0 contienen un parche para este problema. Como workaround, deshabilite las cargas din\u00e1micas para la instancia, por ejemplo, desde propuestas."
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "security-advisories@github.com",
        "type": "Secondary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "LOW",
          "userInteraction": "REQUIRED",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "availabilityImpact": "NONE",
          "baseScore": 6.3,
          "baseSeverity": "MEDIUM"
        },
        "exploitabilityScore": 2.1,
        "impactScore": 4.2
      }
    ]
  },
  "weaknesses": [
    {
      "source": "security-advisories@github.com",
      "type": "Secondary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://github.com/decidim/decidim/commit/aaf72787cf18beeeb6a771c1f7cbb7654b073423",
      "source": "security-advisories@github.com"
    },
    {
      "url": "https://github.com/decidim/decidim/pull/11612",
      "source": "security-advisories@github.com"
    },
    {
      "url": "https://github.com/decidim/decidim/releases/tag/v0.27.5",
      "source": "security-advisories@github.com"
    },
    {
      "url": "https://github.com/decidim/decidim/releases/tag/v0.28.0",
      "source": "security-advisories@github.com"
    },
    {
      "url": "https://github.com/decidim/decidim/security/advisories/GHSA-9w99-78rj-hmxq",
      "source": "security-advisories@github.com"
    },
    {
      "url": "https://github.com/rails/rails/blob/a967d355c6fee9ad9b8bd115d43bc8b0fc207e7e/activestorage/app/controllers/active_storage/direct_uploads_controller.rb#L14",
      "source": "security-advisories@github.com"
    }
  ]
}