Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The external link feature is susceptible to cross-site scripting. This allows a remote attacker to execute JavaScript code in the context of a currently logged-in user. An attacker could use this vulnerability to make other users endorse or support proposals they have no intention of supporting or endorsing. The problem was patched in versions 0.27.3 and 0.26.7.
References
Link | Resource |
---|---|
https://github.com/decidim/decidim/releases/tag/v0.26.7 | Release Notes |
https://github.com/decidim/decidim/releases/tag/v0.27.3 | Release Notes |
https://github.com/decidim/decidim/security/advisories/GHSA-469h-mqg8-535r | Third Party Advisory |
https://github.com/decidim/decidim/releases/tag/v0.26.7 | Release Notes |
https://github.com/decidim/decidim/releases/tag/v0.27.3 | Release Notes |
https://github.com/decidim/decidim/security/advisories/GHSA-469h-mqg8-535r | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 08:03
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.1 |
References | () https://github.com/decidim/decidim/releases/tag/v0.26.7 - Release Notes | |
References | () https://github.com/decidim/decidim/releases/tag/v0.27.3 - Release Notes | |
References | () https://github.com/decidim/decidim/security/advisories/GHSA-469h-mqg8-535r - Third Party Advisory |
21 Jul 2023, 17:16
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://github.com/decidim/decidim/releases/tag/v0.27.3 - Release Notes | |
References | (MISC) https://github.com/decidim/decidim/releases/tag/v0.26.7 - Release Notes |
19 Jul 2023, 20:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Summary | Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The external link feature is susceptible to cross-site scripting. This allows a remote attacker to execute JavaScript code in the context of a currently logged-in user. An attacker could use this vulnerability to make other users endorse or support proposals they have no intention of supporting or endorsing. The problem was patched in versions 0.27.3 and 0.26.7. |
19 Jul 2023, 19:10
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.1 |
CPE | cpe:2.3:a:decidim:decidim:*:*:*:*:*:ruby:*:* | |
References | (MISC) https://github.com/decidim/decidim/releases/tag/v0.26.6 - Patch, Third Party Advisory | |
References | (MISC) https://github.com/decidim/decidim/security/advisories/GHSA-469h-mqg8-535r - Third Party Advisory | |
References | (MISC) https://github.com/decidim/decidim/releases/tag/v0.27.3 - Third Party Advisory | |
First Time |
Decidim decidim
Decidim |
11 Jul 2023, 18:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-07-11 18:15
Updated : 2024-11-21 08:03
NVD link : CVE-2023-32693
Mitre link : CVE-2023-32693
CVE.ORG link : CVE-2023-32693
JSON object : View
Products Affected
decidim
- decidim
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')