Decidim Cross-site Scripting vulnerability in the external link redirections
CVE-2023-32693

8.1HIGH

Key Information:

Vendor

Decidim

Status
Decidim
Vendor
CVE Published:
11 July 2023

What is CVE-2023-32693?

The Decidim framework features a vulnerability related to its external link functionality, which is open to cross-site scripting attacks. This flaw allows attackers to execute malicious JavaScript code in the context of a user that is currently logged in. With this capability, an attacker could manipulate other users into unintentionally endorsing or supporting proposals. The vulnerability has been addressed in the recent updates, specifically in versions 0.27.3 and 0.26.7.

Affected Version(s)

decidim >= 0.25.0, < 0.26.7 < 0.25.0, 0.26.7

decidim >= 0.27.0, < 0.27.3 < 0.27.0, 0.27.3

References

https://github.com/decidim/decidim/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/decidim/decidim/releases/tag/v0.26.7
x_refsource_MISC
https://github.com/decidim/decidim/releases/tag/v0.27.3
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.