ADVISORIES

• CVE-2024-41673 (NVD)
• GHSA-cc4g-m3g7-xmw8
• Vendor Advisory

GEM

decidim

SEVERITY

CVSS v3.x: 7.1 (High)

PATCHED VERSIONS

• >= 0.27.8

DESCRIPTION

Impact

The version control feature used in resources is subject to potential cross-site scripting (XSS) attack through a malformed URL.

Workarounds

Not available

References

OWASP ASVS v4.0.3-5.1.3

Credits

This issue was discovered in a security audit organized by Open Source Politics against Decidim done during July 2025.

RELATED

• https://nvd.nist.gov/vuln/detail/CVE-2024-41673
• https://github.com/decidim/decidim/security/advisories/GHSA-cc4g-m3g7-xmw8
• https://github.com/decidim/decidim/commit/8a18c8b1ee85a1b35ee0d8d5893f218695d15637
• https://github.com/advisories/GHSA-cc4g-m3g7-xmw8