CVE-2023-32693

Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The external link feature is susceptible to cross-site scripting. This allows a remote attacker to execute JavaScript code in the context of a currently logged-in user. An attacker could use this vulnerability to make other users endorse or support proposals they have no intention of supporting or endorsing. The problem was patched in versions 0.27.3 and 0.26.7.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.1 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
decidimdecidim
𝑥
< 0.26.7
decidimdecidim
0.27.0 ≤
𝑥
< 0.27.3
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
decidimdecidim
0.25.0 ≤
𝑥
< 0.26.7
ADP
decidimdecidim
0.27.0 ≤
𝑥
< 0.27.3
ADP
Common Weakness Enumeration
References
https://github.com/decidim/decidim/releases/tag/v0.26.7
https://github.com/decidim/decidim/releases/tag/v0.27.3
https://github.com/decidim/decidim/security/advisories/GHSA-469h-mqg8-535r
https://github.com/decidim/decidim/releases/tag/v0.26.7
https://github.com/decidim/decidim/releases/tag/v0.27.3
https://github.com/decidim/decidim/security/advisories/GHSA-469h-mqg8-535r