CVE-2024-45594
📋 TL;DR
This Cross-Site Scripting (XSS) vulnerability in Decidim's meeting embeds feature allows attackers to inject malicious scripts through specially crafted URLs. Users who view or interact with these malicious meeting embeds could have their sessions hijacked or sensitive information stolen. All Decidim instances using vulnerable versions are affected.
💻 Affected Systems
- Decidim
📦 What is this software?
Decidim by Decidim
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, take over administrative accounts, manipulate or delete participatory content, and potentially pivot to other systems.
Likely Case
Attackers steal user session cookies, perform actions on behalf of authenticated users, deface meeting pages, or redirect users to malicious sites.
If Mitigated
With proper Content Security Policy (CSP) headers and input validation, the impact is limited to specific meeting pages with minimal data exposure.
🎯 Exploit Status
XSS vulnerabilities are commonly exploited and require minimal technical skill when proof-of-concept becomes available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.28.3 or 0.29.0
Vendor Advisory: https://github.com/decidim/decidim/security/advisories/GHSA-j4h6-gcj7-7v9v
Restart Required: Yes
Instructions:
1. Backup your Decidim instance and database. 2. Update Decidim to version 0.28.3 or 0.29.0 using your package manager or deployment method. 3. Restart the application server. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable Meeting Embeds
allTemporarily disable the meeting embeds feature to prevent exploitation.
Edit Decidim configuration to disable meeting embeds feature
Implement CSP Headers
allAdd strict Content Security Policy headers to mitigate XSS impact.
Configure web server to include: Content-Security-Policy: default-src 'self'; script-src 'self'
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block XSS payloads in URLs
- Disable user-generated content in meeting embeds and restrict to trusted domains only
🔍 How to Verify
Check if Vulnerable:
Check Decidim version and verify if meeting embeds feature is enabled. Versions below 0.28.3 or 0.29.0 are vulnerable.Check Version:
bundle exec rails runner 'puts Decidim::VERSION'Verify Fix Applied:
Verify Decidim version is 0.28.3 or higher (or 0.29.0+). Test meeting embeds with test XSS payloads to confirm sanitization.📡 Detection & Monitoring
Log Indicators:
- Unusual URL patterns in meeting embed requests
- JavaScript execution errors in meeting pages
- Multiple failed XSS attempts in web server logs
Network Indicators:
- Suspicious URLs containing script tags or JavaScript in meeting embed parameters
- Unexpected outbound connections from meeting pages
SIEM Query:
source="web_server_logs" AND (url="*meeting*" AND (url="*<script>*" OR url="*javascript:*"))