CVE-2023-51447

CVSS 3.1 Score 5.4 of 10 (medium)

Details

Published Feb 20, 2024
Updated: Dec 16, 2024
CWE ID 79

Summary

CVE-2023-51447 is a cross-site scripting (XSS) vulnerability affecting Decidim, a participatory democracy framework. The issue lies in the dynamic file upload feature, which can be exploited if an attacker manipulates file names during upload. This vulnerability arises in sections where users control the upload dialogs and have the technical ability to alter file names. Successful exploitation requires an attacker to control a user session and upload a malicious file with a manipulated name, followed by directing the user to the affected record's edit page. Versions 0.27.0 to 0.27.4 and 0.28.0 are susceptible to this issue. Users can mitigate the risk by patching their Decidim instances or disabling dynamic uploads. Versions 0.27.5 and 0.28.0 include the necessary patch.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share