Headline
GHSA-469h-mqg8-535r: Decidim Cross-site Scripting vulnerability in the external link redirections
Impact
The external link feature is susceptible to Cross-site scripting. This allows a remote attacker to execute JavaScript code in the context of a currently logged-in user. An attacker could use this vulnerability to make other users endorse or support proposals they have no intention of supporting or endorsing.
Patches
Decidim Cross-site Scripting vulnerability in the external link redirections
High severity GitHub Reviewed Published Jul 11, 2023 in decidim/decidim • Updated Jul 11, 2023
Related news
Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The processes filter feature is susceptible to Cross-site scripting. This allows a remote attacker to execute JavaScript code in the context of a currently logged-in user. An attacker could use this vulnerability to make other users endorse or support proposals they have no intention of supporting or endorsing. The problem was patched in version 0.27.3 and 0.26.6.