CVE-2024-32034
📋 TL;DR
This vulnerability allows cross-site scripting (XSS) attacks in Decidim's admin panel when administrators perform actions that generate activity logs containing malicious content. Attackers could execute arbitrary JavaScript in the context of admin sessions, potentially compromising administrative accounts. Only Decidim instances with admin panel access are affected.
💻 Affected Systems
- Decidim
📦 What is this software?
Decidim by Decidim
Decidim by Decidim
Decidim by Decidim
⚠️ Risk & Real-World Impact
Worst Case
Administrative account takeover leading to complete system compromise, data theft, or unauthorized administrative actions across the entire Decidim platform.
Likely Case
Session hijacking of admin accounts, allowing attackers to perform unauthorized administrative actions or steal sensitive data accessible to administrators.
If Mitigated
Limited impact with proper input validation and output encoding, potentially only affecting specific admin panel functionality.
🎯 Exploit Status
Exploitation requires an attacker to craft XSS payloads that get logged in admin activity logs, then wait for an admin to view those logs. Requires some social engineering or persistence.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.27.7, 0.28.2, and newer
Vendor Advisory: https://github.com/decidim/decidim/security/advisories/GHSA-rx9f-5ggv-5rh6
Restart Required: Yes
Instructions:
1. Backup your Decidim instance and database. 2. Update Decidim to version 0.27.7 or 0.28.2 or newer using your package manager or deployment method. 3. Restart the application server. 4. Verify the update was successful.
🔧 Temporary Workarounds
Admin Panel URL Redirection
allRedirect vulnerable admin pages to other admin pages to prevent access to the XSS-vulnerable activity logs
Configure web server (nginx/apache) to redirect /admin and /admin/logs to /admin/organization/edit
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to mitigate XSS impact
- Restrict admin panel access to specific IP addresses or VPN-only access
🔍 How to Verify
Check if Vulnerable:
Check your Decidim version. If it's below 0.27.7 or between 0.28.0 and 0.28.1, you are vulnerable.Check Version:
bundle exec rails runner 'puts Decidim.version'Verify Fix Applied:
After updating, verify the version is 0.27.7 or higher, or 0.28.2 or higher. Test admin activity log functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual admin activity log entries containing script tags or JavaScript code
- Multiple failed admin login attempts followed by successful login
Network Indicators:
- Unexpected JavaScript execution in admin panel responses
- Suspicious requests to admin endpoints with encoded payloads
SIEM Query:
source="decidim_logs" AND (message="admin" OR message="activity") AND (message CONTAINS "<script>" OR message CONTAINS "javascript:")🔗 References
- https://github.com/decidim/decidim/commit/23fc8d702a4976727f78617f5e42353d67931645
- https://github.com/decidim/decidim/commit/9d79f09a2d38c87feb28725670d6cc1f55c22072
- https://github.com/decidim/decidim/commit/e494235d559be13dd1f8694345e6f6bba762d1c0
- https://github.com/decidim/decidim/commit/ff755e23814aeb56e9089fc08006a5d3faee47b6
- https://github.com/decidim/decidim/security/advisories/GHSA-rx9f-5ggv-5rh6
