HIGH 7.7
GHSA-j4h6-gcj7-7v9v
decidim-meetings Cross-site scripting vulnerability in the online or hybrid meeting embeds
Details
### Impact
The meeting embeds feature used in the online or hybrid meetings is subject to potential XSS attack through a malformed URL.
### Patches
Not available
### Workarounds
Disable the creation of meetings by participants in the meeting component.
### References
OWASP ASVS v4.0.3-5.1.3
### Credits
This issue was discovered in a security audit organized by mitgestalten Partizipationsbüro against Decidim. The security audit was implemented by the Austrian Institute of Technology.
Are you affected?
Enter the version of the package you're using.
Affected packages
RubyGems / decidim-meetings
Introduced in:
0.28.0 Fixed in: 0.28.3 Fix
bundle update decidim-meetings