Decidim Vulnerable to XSS Attack in Version Control Feature
CVE-2024-41673

7.1HIGH

Key Information:

Vendor: Decidim
Status: Decidim
Vendor: CVE Published:; 1 October 2024

What is CVE-2024-41673?

A security vulnerability has been identified in the Decidim participatory democracy framework, specifically affecting its version control feature. The flaw exposes the framework to cross-site scripting (XSS) attacks through the manipulation of improperly formatted URLs. Attackers could exploit this weakness to execute arbitrary scripts in users' browsers when they interact with affected resources. To mitigate this issue, it is essential to update to version 0.27.8 or later, which includes security patches addressing this vulnerability. For further information, refer to the security advisory and commit linked below.

Affected Version(s)

decidim < 0.27.8

References

https://github.com/decidim/decidim/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/decidim/decidim/commit/8a18c8b1ee85a1b...

x_refsource_MISC

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 1, 2024
Vulnerability Reserved
Jul 18, 2024