{"url":"http://public2.vulnerablecode.io/api/packages/385329?format=json","purl":"pkg:gem/decidim@0.0.6","type":"gem","namespace":"","name":"decidim","version":"0.0.6","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38554?format=json","vulnerability_id":"VCID-65sr-zebx-x3f8","summary":"Decidim vulnerable to sensitive data disclosure\nNote: added the actual report as a [comment](https://github.com/decidim/decidim/security/advisories/GHSA-jm79-9pm4-vrw9#advisory-comment-81110).\n\n### Summary\n\nDecidim, a platform for digital citizen participation, uses a third-party library named Ransack for filtering certain database collections (e.g., public meetings). By default, this library allows filtering on all data attributes and associations. This allows an unauthenticated remote attacker to exfiltrate non-public data from the underlying database of a Decidim instance (e.g., exfiltrating data from the user table).\n\n### Impact\nThis issue may lead to Sensitive Data Disclosure.\n\n### Patches\nThe problem was patched in [v0.27.3](https://github.com/decidim/decidim/releases/tag/v0.27.3).\n\n### Workarounds\nDisable or unpublish all meetings components from your application.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-34090","reference_id":"","reference_type":"","scores":[{"value":"0.0038","scoring_system":"epss","scoring_elements":"0.59752","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-34090"},{"reference_url":"https://github.com/decidim/decidim","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/decidim/decidim"},{"reference_url":"https://github.com/decidim/decidim/releases/tag/v0.27.3","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-23T15:26:40Z/"}],"url":"https://github.com/decidim/decidim/releases/tag/v0.27.3"},{"reference_url":"https://github.com/decidim/decidim/security/advisories/GHSA-jm79-9pm4-vrw9","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":""},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-23T15:26:40Z/"}],"url":"https://github.com/decidim/decidim/security/advisories/GHSA-jm79-9pm4-vrw9"},{"reference_url":"https://github.com/decidim/decidim/security/advisories/GHSA-jm79-9pm4-vrw9#advisory-comment-81110","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-23T15:26:40Z/"}],"url":"https://github.com/decidim/decidim/security/advisories/GHSA-jm79-9pm4-vrw9#advisory-comment-81110"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2023-34090.yml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2023-34090.yml"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim-meetings/CVE-2023-34090.yml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim-meetings/CVE-2023-34090.yml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34090","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34090"},{"reference_url":"https://github.com/advisories/GHSA-jm79-9pm4-vrw9","reference_id":"GHSA-jm79-9pm4-vrw9","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-jm79-9pm4-vrw9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/71512?format=json","purl":"pkg:gem/decidim@0.27.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5nj4-u7wx-6kee"},{"vulnerability":"VCID-6yku-meu8-nbdp"},{"vulnerability":"VCID-evze-v9z9-tyeq"},{"vulnerability":"VCID-mvnr-byj5-nfgw"},{"vulnerability":"VCID-qhqy-s9n1-bqa9"},{"vulnerability":"VCID-s1b7-3yfv-vucu"},{"vulnerability":"VCID-tu6g-nqbz-t7de"},{"vulnerability":"VCID-ug8n-npvw-xqhu"},{"vulnerability":"VCID-yv4b-a2na-cyh8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/decidim@0.27.3"}],"aliases":["CVE-2023-34090","GHSA-jm79-9pm4-vrw9"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-65sr-zebx-x3f8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/13011?format=json","vulnerability_id":"VCID-evze-v9z9-tyeq","summary":"Decidim vulnerable to data disclosure through the embed feature\n### Impact\n\nIf an attacker can infer the slug or URL of an unpublished or private resource, and this resource can be embedded (such as a Participatory Process, an Assembly, a Proposal, a Result, etc), then some data of this resource could be accessed. \n\n### Patches\n\nversion 0.27.6\n\nhttps://github.com/decidim/decidim/commit/1756fa639ef393ca8e8bb16221cab2e2e7875705\n\n### Workarounds\n\nDisallow access through your web server to the URLs finished with `/embed.html`","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-27090","reference_id":"","reference_type":"","scores":[{"value":"0.00278","scoring_system":"epss","scoring_elements":"0.51432","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-27090"},{"reference_url":"https://github.com/decidim/decidim","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/decidim/decidim"},{"reference_url":"https://github.com/decidim/decidim/commit/1756fa639ef393ca8e8bb16221cab2e2e7875705","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-10T19:29:59Z/"}],"url":"https://github.com/decidim/decidim/commit/1756fa639ef393ca8e8bb16221cab2e2e7875705"},{"reference_url":"https://github.com/decidim/decidim/pull/12528","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-10T19:29:59Z/"}],"url":"https://github.com/decidim/decidim/pull/12528"},{"reference_url":"https://github.com/decidim/decidim/releases/tag/v0.27.6","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-10T19:29:59Z/"}],"url":"https://github.com/decidim/decidim/releases/tag/v0.27.6"},{"reference_url":"https://github.com/decidim/decidim/security/advisories/GHSA-qcj6-vxwx-4rqv","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-10T19:29:59Z/"}],"url":"https://github.com/decidim/decidim/security/advisories/GHSA-qcj6-vxwx-4rqv"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2024-27090.yml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2024-27090.yml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-27090","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-27090"},{"reference_url":"https://github.com/advisories/GHSA-qcj6-vxwx-4rqv","reference_id":"GHSA-qcj6-vxwx-4rqv","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qcj6-vxwx-4rqv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/37452?format=json","purl":"pkg:gem/decidim@0.27.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-mvnr-byj5-nfgw"},{"vulnerability":"VCID-tu6g-nqbz-t7de"},{"vulnerability":"VCID-ug8n-npvw-xqhu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/decidim@0.27.6"}],"aliases":["CVE-2024-27090","GHSA-qcj6-vxwx-4rqv"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-evze-v9z9-tyeq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38406?format=json","vulnerability_id":"VCID-jfd5-cuu6-37a7","summary":"Decidim Cross-site Scripting vulnerability in the external link redirections\n### Impact\n\nThe external link feature is susceptible to Cross-site scripting. This allows a remote attacker to execute JavaScript code in the context of a currently logged-in user. An attacker could use this vulnerability to make other users endorse or support proposals they have no intention of supporting or endorsing.\n\n### Patches\n\nThe problem was patched in [v0.27.3](https://github.com/decidim/decidim/releases/tag/v0.27.3) and [v0.26.7](https://github.com/decidim/decidim/releases/tag/v0.26.7)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-32693","reference_id":"","reference_type":"","scores":[{"value":"0.00227","scoring_system":"epss","scoring_elements":"0.4555","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-32693"},{"reference_url":"https://github.com/decidim/decidim","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/decidim/decidim"},{"reference_url":"https://github.com/decidim/decidim/releases/tag/v0.26.7","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-11-04T19:43:24Z/"}],"url":"https://github.com/decidim/decidim/releases/tag/v0.26.7"},{"reference_url":"https://github.com/decidim/decidim/releases/tag/v0.27.3","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-11-04T19:43:24Z/"}],"url":"https://github.com/decidim/decidim/releases/tag/v0.27.3"},{"reference_url":"https://github.com/decidim/decidim/security/advisories/GHSA-469h-mqg8-535r","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-11-04T19:43:24Z/"}],"url":"https://github.com/decidim/decidim/security/advisories/GHSA-469h-mqg8-535r"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim-core/CVE-2023-32693.yml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim-core/CVE-2023-32693.yml"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2023-32693.yml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2023-32693.yml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-32693","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-32693"},{"reference_url":"https://github.com/advisories/GHSA-469h-mqg8-535r","reference_id":"GHSA-469h-mqg8-535r","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-469h-mqg8-535r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/71508?format=json","purl":"pkg:gem/decidim@0.26.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-65sr-zebx-x3f8"},{"vulnerability":"VCID-6yku-meu8-nbdp"},{"vulnerability":"VCID-evze-v9z9-tyeq"},{"vulnerability":"VCID-mvnr-byj5-nfgw"},{"vulnerability":"VCID-qhqy-s9n1-bqa9"},{"vulnerability":"VCID-s1b7-3yfv-vucu"},{"vulnerability":"VCID-tu6g-nqbz-t7de"},{"vulnerability":"VCID-ug8n-npvw-xqhu"},{"vulnerability":"VCID-yv4b-a2na-cyh8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/decidim@0.26.7"},{"url":"http://public2.vulnerablecode.io/api/packages/71512?format=json","purl":"pkg:gem/decidim@0.27.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5nj4-u7wx-6kee"},{"vulnerability":"VCID-6yku-meu8-nbdp"},{"vulnerability":"VCID-evze-v9z9-tyeq"},{"vulnerability":"VCID-mvnr-byj5-nfgw"},{"vulnerability":"VCID-qhqy-s9n1-bqa9"},{"vulnerability":"VCID-s1b7-3yfv-vucu"},{"vulnerability":"VCID-tu6g-nqbz-t7de"},{"vulnerability":"VCID-ug8n-npvw-xqhu"},{"vulnerability":"VCID-yv4b-a2na-cyh8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/decidim@0.27.3"}],"aliases":["CVE-2023-32693","GHSA-469h-mqg8-535r"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jfd5-cuu6-37a7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8700?format=json","vulnerability_id":"VCID-mvnr-byj5-nfgw","summary":"Decidim::Admin vulnerable to cross-site scripting (XSS) in the admin panel with QuillJS WYSWYG editor\n### Impact\n\nThe WYSWYG editor QuillJS is subject to potential XSS attach in case the attacker manages to modify the HTML before being uploaded to the server.\n\nThe attacker is able to change e.g. to <svg onload=alert('XSS')> if they know how to craft these requests themselves. \n\n### Patches\n\nN/A\n\n### Workarounds\n\nReview the user accounts that have access to the admin panel (i.e. general Administrators, and participatory space's Administrators) and remove access to them if they don't need it. \n\nDisable the \"Enable rich text editor for participants\" setting in the admin dashboard\n\n### References\n\nOWASP ASVS v4.0.3-5.1.3","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-39910","reference_id":"","reference_type":"","scores":[{"value":"0.00631","scoring_system":"epss","scoring_elements":"0.70641","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-39910"},{"reference_url":"https://github.com/decidim/decidim","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/decidim/decidim"},{"reference_url":"https://github.com/decidim/decidim/commit/47adca81cabea898005ec07b130b008f2a2be99f","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-16T19:57:51Z/"}],"url":"https://github.com/decidim/decidim/commit/47adca81cabea898005ec07b130b008f2a2be99f"},{"reference_url":"https://github.com/decidim/decidim/security/advisories/GHSA-vvqw-fqwx-mqmm","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3","scoring_elements":""},{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-16T19:57:51Z/"}],"url":"https://github.com/decidim/decidim/security/advisories/GHSA-vvqw-fqwx-mqmm"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2024-39910.yml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2024-39910.yml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39910","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39910"},{"reference_url":"https://github.com/advisories/GHSA-vvqw-fqwx-mqmm","reference_id":"GHSA-vvqw-fqwx-mqmm","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vvqw-fqwx-mqmm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/22450?format=json","purl":"pkg:gem/decidim@0.27.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-tu6g-nqbz-t7de"},{"vulnerability":"VCID-ug8n-npvw-xqhu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/decidim@0.27.7"}],"aliases":["CVE-2024-39910","GHSA-vvqw-fqwx-mqmm"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mvnr-byj5-nfgw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/10281?format=json","vulnerability_id":"VCID-qhqy-s9n1-bqa9","summary":"Possibility to circumvent the invitation token expiry period\n### Impact\nThe invites feature allows users to accept the invitation for an unlimited amount of time through the password reset functionality.\n\nWhen using the password reset functionality, the `devise_invitable` gem always accepts the pending invitation if the user has been invited as shown in this piece of code within the `devise_invitable` gem:\nhttps://github.com/scambra/devise_invitable/blob/41f58970ff76fb64382a9b9ea1bd530f7c3adab2/lib/devise_invitable/models.rb#L198\n\nThe only check done here is if the user has been invited but the code does not ensure that the pending invitation is still valid as defined by the `invite_for` expiry period as explained in the gem's documentation:\nhttps://github.com/scambra/devise_invitable#model-configuration-\n\n> `invite_for`: The period the generated invitation token is valid. After this period, the invited resource won’t be able to accept the invitation. When `invite_for` is `0` (the default), the invitation won’t expire.\n\nDecidim sets this configuration to `2.weeks` so this configuration should be respected:\nhttps://github.com/decidim/decidim/blob/d2d390578050772d1bdb6d731395f1afc39dcbfc/decidim-core/config/initializers/devise.rb#L134\n\nThe bug is in the `devise_invitable` gem and should be fixed there and the dependency should be upgraded in Decidim once the fix becomes available.\n\n### Patches\nUpdate `devise_invitable` to version `2.0.9` or above by running the following command:\n\n```\n$ bundle update devise_invitable\n```\n\n### Workarounds\nThe invitations can be cancelled directly from the database by running the following command from the Rails console:\n\n```\n> Decidim::User.invitation_not_accepted.update_all(invitation_token: nil)\n```\n\n### References\nOWASP ASVS V4.0.3-2.3.1\n\nThis bug has existed in the `devise_invitable` gem since this commit which was first included in the `v0.4.rc3` release of this gem:\nhttps://github.com/scambra/devise_invitable/commit/94d859c7de0829bf63f679ae5dd3cab2b866a098\n\nAll versions since then are affected.\n\nThis gem was first introduced at its version `~> 1.7.0` to the `decidim-admin` gem in this commit which was first included in the `v0.0.1.alpha3` release of Decidim:\nhttps://github.com/decidim/decidim/commit/073e60e2e4224dd81815a784002ebba30f2ebb34\n\nIt was first introduced at its version `~> 1.7.0` to the `decidim-system` gem in this commit which was also first included in the `v0.0.1.alpha3` release of Decidim:\nhttps://github.com/decidim/decidim/commit/b12800717a689c295a9ea680a38ca9f823d2c454\n\n### Credits\nThis issue was discovered in City of Helsinki's security audit against Decidim 0.27 done during September 2023. The security audit was implemented by [Deloitte Finland](https://www2.deloitte.com/fi/fi.html).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-48220","reference_id":"","reference_type":"","scores":[{"value":"0.00584","scoring_system":"epss","scoring_elements":"0.69352","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-48220"},{"reference_url":"https://github.com/decidim/decidim","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/decidim/decidim"},{"reference_url":"https://github.com/decidim/decidim/blob/d2d390578050772d1bdb6d731395f1afc39dcbfc/decidim-core/config/initializers/devise.rb#L134","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-21T15:23:30Z/"}],"url":"https://github.com/decidim/decidim/blob/d2d390578050772d1bdb6d731395f1afc39dcbfc/decidim-core/config/initializers/devise.rb#L134"},{"reference_url":"https://github.com/decidim/decidim/commit/073e60e2e4224dd81815a784002ebba30f2ebb34","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-21T15:23:30Z/"}],"url":"https://github.com/decidim/decidim/commit/073e60e2e4224dd81815a784002ebba30f2ebb34"},{"reference_url":"https://github.com/decidim/decidim/commit/b12800717a689c295a9ea680a38ca9f823d2c454","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-21T15:23:30Z/"}],"url":"https://github.com/decidim/decidim/commit/b12800717a689c295a9ea680a38ca9f823d2c454"},{"reference_url":"https://github.com/decidim/decidim/releases/tag/v0.26.9","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-21T15:23:30Z/"}],"url":"https://github.com/decidim/decidim/releases/tag/v0.26.9"},{"reference_url":"https://github.com/decidim/decidim/releases/tag/v0.27.5","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-21T15:23:30Z/"}],"url":"https://github.com/decidim/decidim/releases/tag/v0.27.5"},{"reference_url":"https://github.com/decidim/decidim/releases/tag/v0.28.0","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-21T15:23:30Z/"}],"url":"https://github.com/decidim/decidim/releases/tag/v0.28.0"},{"reference_url":"https://github.com/decidim/decidim/security/advisories/GHSA-w3q8-m492-4pwp","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3","scoring_elements":""},{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-21T15:23:30Z/"}],"url":"https://github.com/decidim/decidim/security/advisories/GHSA-w3q8-m492-4pwp"},{"reference_url":"https://github.com/scambra/devise_invitable/blob/41f58970ff76fb64382a9b9ea1bd530f7c3adab2/lib/devise_invitable/models.rb#L198","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-21T15:23:30Z/"}],"url":"https://github.com/scambra/devise_invitable/blob/41f58970ff76fb64382a9b9ea1bd530f7c3adab2/lib/devise_invitable/models.rb#L198"},{"reference_url":"https://github.com/scambra/devise_invitable/commit/94d859c7de0829bf63f679ae5dd3cab2b866a098","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-21T15:23:30Z/"}],"url":"https://github.com/scambra/devise_invitable/commit/94d859c7de0829bf63f679ae5dd3cab2b866a098"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-48220","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-48220"},{"reference_url":"https://github.com/advisories/GHSA-w3q8-m492-4pwp","reference_id":"GHSA-w3q8-m492-4pwp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-w3q8-m492-4pwp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/26581?format=json","purl":"pkg:gem/decidim@0.26.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-evze-v9z9-tyeq"},{"vulnerability":"VCID-mvnr-byj5-nfgw"},{"vulnerability":"VCID-tu6g-nqbz-t7de"},{"vulnerability":"VCID-ug8n-npvw-xqhu"},{"vulnerability":"VCID-yv4b-a2na-cyh8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/decidim@0.26.9"},{"url":"http://public2.vulnerablecode.io/api/packages/26586?format=json","purl":"pkg:gem/decidim@0.27.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-evze-v9z9-tyeq"},{"vulnerability":"VCID-mvnr-byj5-nfgw"},{"vulnerability":"VCID-tu6g-nqbz-t7de"},{"vulnerability":"VCID-ug8n-npvw-xqhu"},{"vulnerability":"VCID-yv4b-a2na-cyh8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/decidim@0.27.5"}],"aliases":["CVE-2023-48220","GHSA-w3q8-m492-4pwp"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qhqy-s9n1-bqa9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35209?format=json","vulnerability_id":"VCID-s1b7-3yfv-vucu","summary":"Decidim has broken access control in templates\n### Impact\n\nThe `templates` module doesn't enforce the correct permissions, allowing any logged-in user to access to this functionality in the administration panel. An attacker could use this vulnerability to change, create or delete templates of surveys.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-36465","reference_id":"","reference_type":"","scores":[{"value":"0.0007","scoring_system":"epss","scoring_elements":"0.21537","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-36465"},{"reference_url":"https://github.com/decidim/decidim","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/decidim/decidim"},{"reference_url":"https://github.com/decidim/decidim/releases/tag/v0.26.8","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-19T18:47:43Z/"}],"url":"https://github.com/decidim/decidim/releases/tag/v0.26.8"},{"reference_url":"https://github.com/decidim/decidim/releases/tag/v0.27.4","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-19T18:47:43Z/"}],"url":"https://github.com/decidim/decidim/releases/tag/v0.27.4"},{"reference_url":"https://github.com/decidim/decidim/security/advisories/GHSA-639h-86hw-qcjq","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-19T18:47:43Z/"}],"url":"https://github.com/decidim/decidim/security/advisories/GHSA-639h-86hw-qcjq"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2023-36465.yml","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2023-36465.yml"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim-templates/CVE-2023-36465.yml","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim-templates/CVE-2023-36465.yml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-36465","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-36465"},{"reference_url":"https://github.com/advisories/GHSA-639h-86hw-qcjq","reference_id":"GHSA-639h-86hw-qcjq","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-639h-86hw-qcjq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/67310?format=json","purl":"pkg:gem/decidim@0.26.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6yku-meu8-nbdp"},{"vulnerability":"VCID-evze-v9z9-tyeq"},{"vulnerability":"VCID-mvnr-byj5-nfgw"},{"vulnerability":"VCID-qhqy-s9n1-bqa9"},{"vulnerability":"VCID-tu6g-nqbz-t7de"},{"vulnerability":"VCID-ug8n-npvw-xqhu"},{"vulnerability":"VCID-yv4b-a2na-cyh8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/decidim@0.26.8"},{"url":"http://public2.vulnerablecode.io/api/packages/67313?format=json","purl":"pkg:gem/decidim@0.27.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5nj4-u7wx-6kee"},{"vulnerability":"VCID-6yku-meu8-nbdp"},{"vulnerability":"VCID-evze-v9z9-tyeq"},{"vulnerability":"VCID-mvnr-byj5-nfgw"},{"vulnerability":"VCID-qhqy-s9n1-bqa9"},{"vulnerability":"VCID-tu6g-nqbz-t7de"},{"vulnerability":"VCID-ug8n-npvw-xqhu"},{"vulnerability":"VCID-yv4b-a2na-cyh8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/decidim@0.27.4"}],"aliases":["CVE-2023-36465","GHSA-639h-86hw-qcjq"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-s1b7-3yfv-vucu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/19383?format=json","vulnerability_id":"VCID-tu6g-nqbz-t7de","summary":"Decidim's private data exports can lead to data leaks\n### Impact\nPrivate data exports can lead to data leaks in cases where the UUID generation causes collisions for the generated UUIDs.\n\nThe bug was introduced by #13571 and affects Decidim versions 0.30.0 or newer (currently 2025-09-23).\n\nThis issue  was discovered by running the following spec several times in a row, as it can randomly fail due to this bug:\n\n```bash\n$ cd decidim-core\n$ for i in {1..10}; do bundle exec rspec spec/jobs/decidim/download_your_data_export_job_spec.rb -e \"deletes the\" || break ; done\n```\n\nRun the spec as many times as needed to hit a UUID that converts to `0` through `.to_i`.\n\nThe UUID to zero conversion does not cause a security issue but the security issue is demonstrated with the following example.\n\nThe following code regenerates the issue by assigning a predefined UUID that will generate a collision (example assumes there are already two existing users in the system):\n\n```ruby\n# Create the ZIP buffers to be stored\nbuffer1 = Zip::OutputStream.write_buffer do |out|\n  out.put_next_entry(\"admin.txt\")\n  out.write \"Hello, admin!\"\nend\nbuffer1.rewind\nbuffer2 = Zip::OutputStream.write_buffer do |out|\n  out.put_next_entry(\"user.txt\")\n  out.write \"Hello, user!\"\nend\nbuffer2.rewind\n\n# Create the private exports with a predefined IDs\nuser1 = Decidim::User.find(1)\nexport = user1.private_exports.build\nexport.id = \"0210ae70-482b-4671-b758-35e13e0097a9\"\nexport.export_type = \"download_your_data\"\nexport.file.attach(io: buffer1, filename: \"foobar.zip\", content_type: \"application/zip\")\nexport.expires_at = Decidim.download_your_data_expiry_time.from_now\nexport.metadata = {}\nexport.save!\n\n\nuser2 = Decidim::User.find(2)\nexport = user2.private_exports.build\nexport.id = \"0210d2df-a0c7-40aa-ad97-2dae5083e3b8\"\nexport.export_type = \"download_your_data\"\nexport.file.attach(io: buffer2, filename: \"foobar.zip\", content_type: \"application/zip\")\nexport.expires_at = Decidim.download_your_data_expiry_time.from_now\nexport.metadata = {}\nexport.save!\n```\n\nExpect to see an error in the situation.\n\nNow, login as user with ID 1, go to `/download_your_data`, click \"Download file\" from the export and expect to see the data that should be attached to user with ID 2. This is an artificially replicated situation with the predefined UUIDs but it can easily happen in real situations.\n\nThe reason for the test case failure can be replicated in case you change the export ID to `export.id = \"e9540f96-9e3d-4abe-8c2a-6c338d85a684\"`. This would return `0` through `.to_s`\n\nAfter attaching that ID, you can test if the file is available for the export:\n\n```ruby\nuser.private_exports.last.file.attached?\n=> false\nuser.private_exports.last.file.blob\n=> nil\n```\n\nNote that this fails with such UUID as shown in the example and could easily lead to collisions in case the UUID starts with a number. E.g. UUID `\"0210ae70-482b-4671-b758-35e13e0097a9\"` would convert to `210` through `.to_s`. Therefore, if someone else has a \"private\" export with the prefixes \"00000210\", \"0000210\", \"000210\", \"00210\", \"0210\" or \"210\", that would cause a collision and the file could be attached to the wrong private export.\n\nTheoretical chance of collision (the reality depends on the UUID generation algorithm):\n\n- Potential combinations of the UUID first part (8 characters hex): 16^8\n- Potentially colliding character combinations (8 numbers characters in the range of 0-9): 10^8\n- 10^8 / 16^8 ≈ 2.3% (23 / 1000 users)\n\nThe root cause is that the class `Decidim::PrivateExport` defines an ActiveStorage relation to `file` and the table `active_storage_attachments` stores the related `record_id` as `bigint` which causes the conversion to happen.\n\n### Workarounds\nFully disable the private exports feature until a patch is available.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-65017","reference_id":"","reference_type":"","scores":[{"value":"0.00044","scoring_system":"epss","scoring_elements":"0.1406","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-65017"},{"reference_url":"https://github.com/decidim/decidim","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/decidim/decidim"},{"reference_url":"https://github.com/decidim/decidim/pull/13571","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-02-03T17:09:13Z/"}],"url":"https://github.com/decidim/decidim/pull/13571"},{"reference_url":"https://github.com/decidim/decidim/releases/tag/v0.30.4","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-02-03T17:09:13Z/"}],"url":"https://github.com/decidim/decidim/releases/tag/v0.30.4"},{"reference_url":"https://github.com/decidim/decidim/releases/tag/v0.31.0","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-02-03T17:09:13Z/"}],"url":"https://github.com/decidim/decidim/releases/tag/v0.31.0"},{"reference_url":"https://github.com/decidim/decidim/security/advisories/GHSA-3cx6-j9j4-54mp","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-02-03T17:09:13Z/"}],"url":"https://github.com/decidim/decidim/security/advisories/GHSA-3cx6-j9j4-54mp"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim-core/CVE-2025-65017.yml","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim-core/CVE-2025-65017.yml"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2025-65017.yml","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2025-65017.yml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-65017","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-65017"},{"reference_url":"https://github.com/advisories/GHSA-3cx6-j9j4-54mp","reference_id":"GHSA-3cx6-j9j4-54mp","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3cx6-j9j4-54mp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/55020?format=json","purl":"pkg:gem/decidim@0.30.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-tu6g-nqbz-t7de"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/decidim@0.30.4"},{"url":"http://public2.vulnerablecode.io/api/packages/385457?format=json","purl":"pkg:gem/decidim@0.31.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-tu6g-nqbz-t7de"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/decidim@0.31.0"}],"aliases":["CVE-2025-65017","GHSA-3cx6-j9j4-54mp"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tu6g-nqbz-t7de"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8259?format=json","vulnerability_id":"VCID-ug8n-npvw-xqhu","summary":"Decidim has a cross-site scripting vulnerability in the version control page\n### Impact\n\nThe version control feature used in resources is subject to potential cross-site scripting (XSS) attack through a malformed URL. \n\n### Workarounds\n\nNot available\n\n### References\n\nOWASP ASVS v4.0.3-5.1.3\n\n### Credits\n\nThis issue was discovered in a security audit organized by [Open Source Politics](https://opensourcepolitics.eu/) against Decidim done during July 2025.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-41673","reference_id":"","reference_type":"","scores":[{"value":"0.00416","scoring_system":"epss","scoring_elements":"0.61975","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-41673"},{"reference_url":"https://github.com/decidim/decidim","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/decidim/decidim"},{"reference_url":"https://github.com/decidim/decidim/commit/8a18c8b1ee85a1b35ee0d8d5893f218695d15637","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-01T17:47:16Z/"}],"url":"https://github.com/decidim/decidim/commit/8a18c8b1ee85a1b35ee0d8d5893f218695d15637"},{"reference_url":"https://github.com/decidim/decidim/security/advisories/GHSA-cc4g-m3g7-xmw8","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-01T17:47:16Z/"}],"url":"https://github.com/decidim/decidim/security/advisories/GHSA-cc4g-m3g7-xmw8"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2024-41673.yml","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2024-41673.yml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41673","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41673"},{"reference_url":"https://github.com/advisories/GHSA-cc4g-m3g7-xmw8","reference_id":"GHSA-cc4g-m3g7-xmw8","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cc4g-m3g7-xmw8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/20420?format=json","purl":"pkg:gem/decidim@0.27.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-tu6g-nqbz-t7de"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/decidim@0.27.8"}],"aliases":["CVE-2024-41673","GHSA-cc4g-m3g7-xmw8"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ug8n-npvw-xqhu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/13533?format=json","vulnerability_id":"VCID-yv4b-a2na-cyh8","summary":"Decidim cross-site scripting (XSS) in the pagination\n### Impact\n\nThe pagination feature used in searches and filters is subject to potential XSS attack through a malformed URL using the GET parameter `per_page`. \n\n### Patches\n\nNot available\n\n### Workarounds\n\nNot available\n\n### References\n\nOWASP ASVS v4.0.3-5.1.3\n\n### Credits\n\nThis issue was discovered in a security audit organized by the [mitgestalten Partizipationsbüro](https://partizipationsbuero.at/) and funded by [netidee](https://www.netidee.at/) against Decidim done during April 2024. The security audit was implemented by  [AIT Austrian Institute of Technology GmbH](https://www.ait.ac.at/),","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-32469","reference_id":"","reference_type":"","scores":[{"value":"0.00485","scoring_system":"epss","scoring_elements":"0.65624","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-32469"},{"reference_url":"https://github.com/decidim/decidim","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/decidim/decidim"},{"reference_url":"https://github.com/decidim/decidim/releases/tag/v0.27.6","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-11T14:25:38Z/"}],"url":"https://github.com/decidim/decidim/releases/tag/v0.27.6"},{"reference_url":"https://github.com/decidim/decidim/releases/tag/v0.28.1","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-11T14:25:38Z/"}],"url":"https://github.com/decidim/decidim/releases/tag/v0.28.1"},{"reference_url":"https://github.com/decidim/decidim/security/advisories/GHSA-7cx8-44pc-xv3q","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-11T14:25:38Z/"}],"url":"https://github.com/decidim/decidim/security/advisories/GHSA-7cx8-44pc-xv3q"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2024-32469.yml","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2024-32469.yml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-32469","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-32469"},{"reference_url":"https://github.com/advisories/GHSA-7cx8-44pc-xv3q","reference_id":"GHSA-7cx8-44pc-xv3q","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7cx8-44pc-xv3q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/37452?format=json","purl":"pkg:gem/decidim@0.27.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-mvnr-byj5-nfgw"},{"vulnerability":"VCID-tu6g-nqbz-t7de"},{"vulnerability":"VCID-ug8n-npvw-xqhu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/decidim@0.27.6"},{"url":"http://public2.vulnerablecode.io/api/packages/38085?format=json","purl":"pkg:gem/decidim@0.28.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-tu6g-nqbz-t7de"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/decidim@0.28.1"}],"aliases":["CVE-2024-32469","GHSA-7cx8-44pc-xv3q"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yv4b-a2na-cyh8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38509?format=json","vulnerability_id":"VCID-zges-d6gg-efan","summary":"Decidim Cross-site Scripting vulnerability in the processes filter\n### Impact\n\nThe processes filter feature is susceptible to Cross-site scripting. This allows a remote attacker to execute JavaScript code in the context of a currently logged-in user. An attacker could use this vulnerability to make other users endorse or support proposals they have no intention of supporting or endorsing.\n\n### Patches\n\nThe problem was patched in [v0.27.3](https://github.com/decidim/decidim/releases/tag/v0.27.3) and [v0.26.7](https://github.com/decidim/decidim/releases/tag/v0.26.7)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-34089","reference_id":"","reference_type":"","scores":[{"value":"0.00146","scoring_system":"epss","scoring_elements":"0.34748","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-34089"},{"reference_url":"https://github.com/decidim/decidim","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/decidim/decidim"},{"reference_url":"https://github.com/decidim/decidim/releases/tag/v0.26.6","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-11-04T19:43:06Z/"}],"url":"https://github.com/decidim/decidim/releases/tag/v0.26.6"},{"reference_url":"https://github.com/decidim/decidim/releases/tag/v0.26.7","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/decidim/decidim/releases/tag/v0.26.7"},{"reference_url":"https://github.com/decidim/decidim/releases/tag/v0.27.3","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-11-04T19:43:06Z/"}],"url":"https://github.com/decidim/decidim/releases/tag/v0.27.3"},{"reference_url":"https://github.com/decidim/decidim/security/advisories/GHSA-5652-92r9-3fx9","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3","scoring_elements":""},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-11-04T19:43:06Z/"}],"url":"https://github.com/decidim/decidim/security/advisories/GHSA-5652-92r9-3fx9"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim-core/CVE-2023-34089.yml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim-core/CVE-2023-34089.yml"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2023-34089.yml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2023-34089.yml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34089","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34089"},{"reference_url":"https://github.com/advisories/GHSA-5652-92r9-3fx9","reference_id":"GHSA-5652-92r9-3fx9","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-5652-92r9-3fx9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/71508?format=json","purl":"pkg:gem/decidim@0.26.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-65sr-zebx-x3f8"},{"vulnerability":"VCID-6yku-meu8-nbdp"},{"vulnerability":"VCID-evze-v9z9-tyeq"},{"vulnerability":"VCID-mvnr-byj5-nfgw"},{"vulnerability":"VCID-qhqy-s9n1-bqa9"},{"vulnerability":"VCID-s1b7-3yfv-vucu"},{"vulnerability":"VCID-tu6g-nqbz-t7de"},{"vulnerability":"VCID-ug8n-npvw-xqhu"},{"vulnerability":"VCID-yv4b-a2na-cyh8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/decidim@0.26.7"},{"url":"http://public2.vulnerablecode.io/api/packages/71512?format=json","purl":"pkg:gem/decidim@0.27.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5nj4-u7wx-6kee"},{"vulnerability":"VCID-6yku-meu8-nbdp"},{"vulnerability":"VCID-evze-v9z9-tyeq"},{"vulnerability":"VCID-mvnr-byj5-nfgw"},{"vulnerability":"VCID-qhqy-s9n1-bqa9"},{"vulnerability":"VCID-s1b7-3yfv-vucu"},{"vulnerability":"VCID-tu6g-nqbz-t7de"},{"vulnerability":"VCID-ug8n-npvw-xqhu"},{"vulnerability":"VCID-yv4b-a2na-cyh8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/decidim@0.27.3"}],"aliases":["CVE-2023-34089","GHSA-5652-92r9-3fx9"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zges-d6gg-efan"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/decidim@0.0.6"}