rubysec · postmodern · Nov 15, 2024 · Nov 15, 2024 · Nov 15, 2024
diff --git a/gems/decidim-meetings/CVE-2024-45594.yml b/gems/decidim-meetings/CVE-2024-45594.yml
@@ -0,0 +1,39 @@
+---
+gem: decidim-meetings
+cve: 2024-45594
+ghsa: j4h6-gcj7-7v9v
+url: https://github.com/decidim/decidim/security/advisories/GHSA-j4h6-gcj7-7v9v
+title: decidim-meetings Cross-site scripting vulnerability
+  in the online or hybrid meeting embeds
+date: 2024-11-13
+description: |
+  ### Impact
+
+  The meeting embeds feature used in the online or hybrid meetings
+  is subject to potential XSS attack through a malformed URL.
+
+  ### Workarounds
+
+  Disable the creation of meetings by participants in the meeting component.
+
+  ### References
+
+  OWASP ASVS v4.0.3-5.1.3
+
+  ### Credits
+
+  This issue was discovered in a security audit organized by mitgestalten
+  Partizipationsbüro against Decidim. The security audit was implemented
+  by the Austrian Institute of Technology.
+cvss_v3: 7.7
+unaffected_versions:
+  - "< 0.28.0"
+patched_versions:
+  - "~> 0.28.3"
+  - ">= 0.29.0"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-45594
+    - https://github.com/decidim/decidim/releases/tag/v0.28.3
+    - https://github.com/decidim/decidim/security/advisories/GHSA-j4h6-gcj7-7v9v
+    - https://github.com/advisories/GHSA-j4h6-gcj7-7v9v