CVE-2024-43415

critical

Description

An improper neutralization of special elements used in an SQL command in the papertrail/version- model of the decidim_awesome-module <= v0.11.1 (> 0.9.0) allows an authenticated admin user to manipulate sql queries to disclose information, read and write files or execute commands.

References

https://pentest.ait.ac.at/security-advisory/decidim-awesome-sql-injection-in-adminaccountability

https://github.com/decidim-ice/decidim-module-decidim_awesome/security/advisories/GHSA-cxwf-qc32-375f

https://github.com/decidim-ice/decidim-module-decidim_awesome/commit/84374037d34a3ac80dc18406834169c65869f11b

Details

Source: Mitre, NVD

Published: 2024-11-12

Updated: 2026-04-15

Risk Information

CVSS v2

Base Score: 8

Vector: CVSS2#AV:N/AC:L/Au:M/C:C/I:C/A:P

Severity: High

CVSS v3

Base Score: 9

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L

Severity: Critical

CVSS v4

Base Score: 9.3

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L

Severity: Critical

EPSS

EPSS: 0.00078