Decidim
CVE-2024-32034
MEDIUM
Severity by source
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
decidim is a Free Open-Source participatory democracy, citizen participation and open government for cities and organizations. The admin panel is subject to potential Cross-site scripting (XSS) attach in case an admin assigns a valuator to a proposal, or does any other action that generates an admin activity log where one of the resources has an XSS crafted. This issue has been addressed in release version 0.27.7, 0.28.2, and newer. Users are advised to upgrade. Users unable to upgrade may redirect the pages /admin and /admin/logs to other admin pages to prevent this access (i.e. /admin/organization/edit).
AnalysisAI
decidim is a Free Open-Source participatory democracy, citizen participation and open government for cities and organizations. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. decidim is a Free Open-Source participatory democracy, citizen participation and open government for cities and organizations. The admin panel is subject to potential Cross-site scripting (XSS) attach in case an admin assigns a valuator to a proposal, or does any other action that generates an admin activity log where one of the resources has an XSS crafted. This issue has been addressed in release version 0.27.7, 0.28.2, and newer. Users are advised to upgrade. Users unable to upgrade may redirect the pages /admin and /admin/logs to other admin pages to prevent this access (i.e. /admin/organization/edit). Affected products include: Decidim. Version information: version 0.27.7.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City go
Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City go
Decidim is a participatory democracy framework. In versions from 0.30.0 to before 0.30.4 and from 0.31.0.rc1 to before 0
Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City go
Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City go
Decidim is a participatory democracy framework. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploit
decidim is a Free Open-Source participatory democracy, citizen participation and open government for cities and organiza
Decidim is a participatory democracy framework. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploit
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today