CVE-2023-51447
CVSS 3.1 Score 5.4 of 10 (medium)
Details
Summary
CVE-2023-51447 is a cross-site scripting (XSS) vulnerability affecting Decidim, a participatory democracy framework. The issue lies in the dynamic file upload feature, which can be exploited if an attacker manipulates file names during upload. This vulnerability arises in sections where users control the upload dialogs and have the technical ability to alter file names. Successful exploitation requires an attacker to control a user session and upload a malicious file with a manipulated name, followed by directing the user to the affected record's edit page. Versions 0.27.0 to 0.27.4 and 0.28.0 are susceptible to this issue. Users can mitigate the risk by patching their Decidim instances or disabling dynamic uploads. Versions 0.27.5 and 0.28.0 include the necessary patch.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Affected Products
- Decidim
Affected Vendors
- Decidim