CVE-2023-34089

11.07.2023, 18:15

Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The processes filter feature is susceptible to Cross-site scripting. This allows a remote attacker to execute JavaScript code in the context of a currently logged-in user. An attacker could use this vulnerability to make other users endorse or support proposals they have no intention of supporting or endorsing. The problem was patched in version 0.27.3 and 0.26.7.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.1 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
GitHub_M	CNA	8.1 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 31%

Vendor	Product	Version
decidim	decidim	𝑥 < 0.26.7
decidim	decidim	0.27.0 ≤ 𝑥 < 0.27.3

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://github.com/decidim/decidim/releases/tag/v0.26.6

https://github.com/decidim/decidim/releases/tag/v0.27.3

https://github.com/decidim/decidim/security/advisories/GHSA-5652-92r9-3fx9

https://github.com/decidim/decidim/releases/tag/v0.26.6

https://github.com/decidim/decidim/releases/tag/v0.27.3

https://github.com/decidim/decidim/security/advisories/GHSA-5652-92r9-3fx9