CVE-2023-32693

Published: Jul 11, 2023Modified: Nov 21, 2024

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The external link feature is susceptible to cross-site scripting. This allows a remote attacker to execute JavaScript code in the context of a currently logged-in user. An attacker could use this vulnerability to make other users endorse or support proposals they have no intention of supporting or endorsing. The problem was patched in versions 0.27.3 and 0.26.7.

Affected (2)

Products: Decidim: Decidim

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Decidim Decidim	Before 0.26.7
Decidim Decidim	From 0.27.0 to 0.27.3

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (6)

https://github.com/decidim/decidim/releases/tag/v0.26.7

Source: security-advisories@github.com

Release Notes

https://github.com/decidim/decidim/releases/tag/v0.27.3

Source: security-advisories@github.com

Release Notes

https://github.com/decidim/decidim/security/advisories/GHSA-469h-mqg8-535r

Source: security-advisories@github.com

Third Party Advisory

https://github.com/decidim/decidim/releases/tag/v0.26.7

Source: af854a3a-2127-422b-91ae-364da2661108

Release Notes

https://github.com/decidim/decidim/releases/tag/v0.27.3

Source: af854a3a-2127-422b-91ae-364da2661108

Release Notes

https://github.com/decidim/decidim/security/advisories/GHSA-469h-mqg8-535r

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.