SCA: security update for decidim (GHSA-vvqw-fqwx-mqmm)

medium Tenable Self-Hosted Container Security Plugin ID 419558

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- decidim is a Free Open-Source participatory democracy, citizen participation and open government for
cities and organizations. The WYSWYG editor QuillJS is subject to potential XSS attach in case the
attacker manages to modify the HTML before being uploaded to the server. The attacker is able to change
e.g. to <svg onload=alert('XSS')> if they know how to craft these requests themselves. This issue has been
addressed in release version 0.27.7. All users are advised to upgrade. Users unable to upgrade should
review the user accounts that have access to the admin panel (i.e. general Administrators, and
participatory space's Administrators) and remove access to them if they don't need it. Disable the "Enable
rich text editor for participants" setting in the admin dashboard (CVE-2024-39910)

See Also

https://github.com/advisories/GHSA-vvqw-fqwx-mqmm

Plugin Details

Severity: Medium

ID: 419558

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 9.14

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4.7

Temporal Score: 3.5

Vector: CVSS2#AV:N/AC:L/Au:M/C:P/I:P/A:N

CVSS Score Source: CVE-2024-39910

CVSS v3

Risk Factor: Medium

Base Score: 4.8

Temporal Score: 4.2

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 5.9

Threat Score: 1.9

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 9/16/2024

Vulnerability Publication Date: 9/16/2024

Reference Information

CVE: CVE-2024-39910

cwe: CWE-79