CVE-2023-32693

Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The external link feature is susceptible to cross-site scripting. This allows a remote attacker to execute JavaScript code in the context of a currently logged-in user. An attacker could use this vulnerability to make other users endorse or support proposals they have no intention of supporting or endorsing. The problem was patched in versions 0.27.3 and 0.26.7.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:decidim:decidim:*:*:*:*:*:ruby:*:*
cpe:2.3:a:decidim:decidim:*:*:*:*:*:ruby:*:*

History

21 Nov 2024, 08:03

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 6.1
v2 : unknown
v3 : 8.1
References () https://github.com/decidim/decidim/releases/tag/v0.26.7 - Release Notes () https://github.com/decidim/decidim/releases/tag/v0.26.7 - Release Notes
References () https://github.com/decidim/decidim/releases/tag/v0.27.3 - Release Notes () https://github.com/decidim/decidim/releases/tag/v0.27.3 - Release Notes
References () https://github.com/decidim/decidim/security/advisories/GHSA-469h-mqg8-535r - Third Party Advisory () https://github.com/decidim/decidim/security/advisories/GHSA-469h-mqg8-535r - Third Party Advisory

21 Jul 2023, 17:16

Type Values Removed Values Added
References (MISC) https://github.com/decidim/decidim/releases/tag/v0.27.3 - Third Party Advisory (MISC) https://github.com/decidim/decidim/releases/tag/v0.27.3 - Release Notes
References (MISC) https://github.com/decidim/decidim/releases/tag/v0.26.7 - (MISC) https://github.com/decidim/decidim/releases/tag/v0.26.7 - Release Notes

19 Jul 2023, 20:15

Type Values Removed Values Added
References
  • {'url': 'https://github.com/decidim/decidim/releases/tag/v0.26.6', 'name': 'https://github.com/decidim/decidim/releases/tag/v0.26.6', 'tags': ['Patch', 'Third Party Advisory'], 'refsource': 'MISC'}
  • (MISC) https://github.com/decidim/decidim/releases/tag/v0.26.7 -
Summary Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The external link feature is susceptible to cross-site scripting. This allows a remote attacker to execute JavaScript code in the context of a currently logged-in user. An attacker could use this vulnerability to make other users endorse or support proposals they have no intention of supporting or endorsing. The problem was patched in versions 0.27.3 and 0.26.6. Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The external link feature is susceptible to cross-site scripting. This allows a remote attacker to execute JavaScript code in the context of a currently logged-in user. An attacker could use this vulnerability to make other users endorse or support proposals they have no intention of supporting or endorsing. The problem was patched in versions 0.27.3 and 0.26.7.

19 Jul 2023, 19:10

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 6.1
CPE cpe:2.3:a:decidim:decidim:*:*:*:*:*:ruby:*:*
References (MISC) https://github.com/decidim/decidim/releases/tag/v0.26.6 - (MISC) https://github.com/decidim/decidim/releases/tag/v0.26.6 - Patch, Third Party Advisory
References (MISC) https://github.com/decidim/decidim/security/advisories/GHSA-469h-mqg8-535r - (MISC) https://github.com/decidim/decidim/security/advisories/GHSA-469h-mqg8-535r - Third Party Advisory
References (MISC) https://github.com/decidim/decidim/releases/tag/v0.27.3 - (MISC) https://github.com/decidim/decidim/releases/tag/v0.27.3 - Third Party Advisory
First Time Decidim decidim
Decidim

11 Jul 2023, 18:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-07-11 18:15

Updated : 2024-11-21 08:03


NVD link : CVE-2023-32693

Mitre link : CVE-2023-32693

CVE.ORG link : CVE-2023-32693


JSON object : View

Products Affected

decidim

  • decidim
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')