Decidim Awesome SQL Injection Vulnerability (CVE-2024-43415) Advisory

From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. Vulnerability Description: - Vulnerability ID: AIT-SA-20241112-01 - Target: decidim-module-decidim_awesome - Vendor: Decidim International Community Environment - Version: All versions, including v0.11.1 - CVE ID: CVE-2024-43415 - Accessibility: Remote - Severity: Critical - Author: Wolfgang Hotwagner (Austrian Institute of Technology) 2. Vulnerability Summary: - Decidim is a participatory democracy framework written in Ruby on Rails, originally developed for the online and offline participation website of the Barcelona City Council. 3. Vulnerability Description: - An attacker with administrative privileges can manipulate database queries to read the database, read files from the filesystem, and write files to the filesystem. In the worst case, this could lead to remote code execution on the server. 4. Exploitation: - The method can be executed via the in . - To trigger the SQL injection, the following request must be executed: - After executing this request, an error is displayed, indicating that the SQL injection has been triggered. 5. Affected Versions: - All versions, including v0.11.1 6. Impact: - Code execution - Privilege escalation - Information disclosure 7. Mitigation: - Upgrade to version 0.10.3 or higher. - Upgrade to version 0.11.2 or higher. 8. Vendor Contact Timeline: - 2024-08-20: Initial contact with vendor. - 2024-08-21: Vendor acknowledges the finding. - 2024-08-22: Security fix update released. - 2024-11-12: Public disclosure. 9. References: - Security Advisory on GitHub This information provides a detailed description of the SQL injection vulnerability in the Decidim Awesome module, including its nature, scope of impact, mitigation steps, and the vendor's response timeline.

Goal Reached Thanks to every supporter — we hit 100%!

Decidim Awesome SQL Injection Vulnerability (CVE-2024-43415) Advisory