#ruby

WordPress ChurcHope Responsive Themes version 4.7.x suffers from a directory traversal vulnerability.

CMS NEXIN version 2.0 appears to leave default credentials installed after installation.

Buzzy News Viral Lists Polls and Videos version 2.0 appears to leave default credentials installed after installation.

CMS Nexin Adminisztracios Kozpont version 1.2 appears to leave default credentials installed after installation.

CMS iQ-Digital version 2.0 suffers from a cross site scripting vulnerability.

Clip Share version 4.1.4 suffers from a cross site scripting vulnerability.

Progress Chef Infra Server before 15.7 allows a local attacker to exploit a /var/opt/opscode/local-mode-cache/backup world-readable temporary backup path to access sensitive information, resulting in the disclosure of all indexed node data, because OpenSearch credentials are exposed. (The data typically includes credentials for additional systems.) The attacker must wait for an admin to run the "chef-server-ctl reconfigure" command.

Note: added the actual report as a [comment](https://github.com/decidim/decidim/security/advisories/GHSA-jm79-9pm4-vrw9#advisory-comment-81110). ### Summary Decidim, a platform for digital citizen participation, uses a third-party library named Ransack for filtering certain database collections (e.g., public meetings). By default, this library allows filtering on all data attributes and associations. This allows an unauthenticated remote attacker to exfiltrate non-public data from the underlying database of a Decidim instance (e.g., exfiltrating data from the user table). ### Impact This issue may lead to Sensitive Data Disclosure. ### Patches The problem was patched in [v0.27.3](https://github.com/decidim/decidim/releases/tag/v0.27.3). ### Workarounds Disable or unpublish all meetings components from your application.

Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. This vulnerability is related to the deserialization of untrusted data from the `_state` query parameter, which can result in remote code execution. The issue has been addressed in version `14.5.0`. Users are advised to upgrade their software to this version or any subsequent versions that include the patch.

Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. Decidim uses a third-party library named Ransack for filtering certain database collections (e.g., public meetings). By default, this library allows filtering on all data attributes and associations. This allows an unauthenticated remote attacker to exfiltrate non-public data from the underlying database of a Decidim instance (e.g., exfiltrating data from the user table). This issue may lead to Sensitive Data Disclosure. The problem was patched in version 0.27.3.