Decidim cross-site scripting (XSS) in the pagination
Published: July 10, 2024
SECURITY IDENTIFIERS
- CVE: CVE-2024-32469 (NVD)
- GHSA: GHSA-7cx8-44pc-xv3q
- Vendor Advisory: https://github.com/decidim/decidim/security/advisories/GHSA-7cx8-44pc-xv3q
GEM
SEVERITY
CVSS v3.x: 7.1 (High)
PATCHED VERSIONS
~> 0.27.6
>= 0.28.1
DESCRIPTION
Impact
The pagination feature used in searches and filters is subject to
potential XSS attack through a malformed URL using the GET parameter
per_page.
Patches
Patched in version 0.27.6 and 0.28.1
References
OWASP ASVS v4.0.3-5.1.3
Credits
This issue was discovered in a security audit organized by the mitgestalten PartizipationsbĂĽro and funded by netidee against Decidim done during April 2024. The security audit was implemented by AIT Austrian Institute of Technology GmbH,