Package Instance

Decidim's private data exports can lead to data leaks
Private data exports can lead to data leaks in cases where the UUID generation causes collisions for the generated UUIDs.

The bug was introduced by #13571 and affects Decidim versions 0.30.0 or newer (currently 2025-09-23).

This issue  was discovered by running the following spec several times in a row, as it can randomly fail due to this bug:

```bash
$ cd decidim-core
$ for i in {1..10}; do bundle exec rspec spec/jobs/decidim/download_your_data_export_job_spec.rb -e "deletes the" || break ; done
```

Run the spec as many times as needed to hit a UUID that converts to `0` through `.to_i`.

The UUID to zero conversion does not cause a security issue but the security issue is demonstrated with the following example.

The following code regenerates the issue by assigning a predefined UUID that will generate a collision (example assumes there are already two existing users in the system):

```ruby

Decidim has a cross-site scripting vulnerability in the version control page
### Impact

The version control feature used in resources is subject to potential
cross-site scripting (XSS) attack through a malformed URL.

### Workarounds

Not available

### References

OWASP ASVS v4.0.3-5.1.3

### Credits

This issue was discovered in a security audit organized by
[Open Source Politics](https://opensourcepolitics.eu/)
against Decidim done during July 2025.

Decidim::Admin vulnerable to cross-site scripting (XSS) in the admin panel with QuillJS WYSWYG editor
### Impact
The WYSWYG editor QuillJS is subject to potential XSS attach in
case the attacker manages to modify the HTML before being
uploaded to the server.

The attacker is able to change e.g. to <svg onload=alert('XSS')>
if they know how to craft these requests themselves.

### Patches
N/A

### Workarounds
Review the user accounts that have access to the admin panel (i.e.
general Administrators, and participatory space's Administrators)
and remove access to them if they don't need it.

Disable the "Enable rich text editor for participants" setting in
the admin dashboard.

### References
OWASP ASVS v4.0.3-5.1.3