ADVISORIES

• CVE-2024-32469 (NVD)
• GHSA-7cx8-44pc-xv3q
• Vendor Advisory

GEM

decidim

SEVERITY

CVSS v3.x: 7.1 (High)

PATCHED VERSIONS

• ~> 0.27.6
• >= 0.28.1

DESCRIPTION

Impact

The pagination feature used in searches and filters is subject to potential XSS attack through a malformed URL using the GET parameter per_page.

Patches

Patched in version 0.27.6 and 0.28.1

References

OWASP ASVS v4.0.3-5.1.3

Credits

This issue was discovered in a security audit organized by the mitgestalten Partizipationsbüro and funded by netidee against Decidim done during April 2024. The security audit was implemented by AIT Austrian Institute of Technology GmbH,

RELATED

• https://nvd.nist.gov/vuln/detail/CVE-2024-32469
• https://github.com/decidim/decidim/security/advisories/GHSA-7cx8-44pc-xv3q
• https://github.com/decidim/decidim/releases/tag/v0.27.6
• https://github.com/decidim/decidim/releases/tag/v0.28.1
• https://github.com/advisories/GHSA-7cx8-44pc-xv3q