{"url":"http://public2.vulnerablecode.io/api/packages/82644?format=json","purl":"pkg:gem/decidim@0.27.7","type":"gem","namespace":"","name":"decidim","version":"0.27.7","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49962?format=json","vulnerability_id":"VCID-25zg-267g-w3cn","summary":"Decidim's private data exports can lead to data leaks\nPrivate data exports can lead to data leaks in cases where the UUID generation causes collisions for the generated UUIDs.\n\nThe bug was introduced by #13571 and affects Decidim versions 0.30.0 or newer (currently 2025-09-23).\n\nThis issue  was discovered by running the following spec several times in a row, as it can randomly fail due to this bug:\n\n```bash\n$ cd decidim-core\n$ for i in {1..10}; do bundle exec rspec spec/jobs/decidim/download_your_data_export_job_spec.rb -e \"deletes the\" || break ; done\n```\n\nRun the spec as many times as needed to hit a UUID that converts to `0` through `.to_i`.\n\nThe UUID to zero conversion does not cause a security issue but the security issue is demonstrated with the following example.\n\nThe following code regenerates the issue by assigning a predefined UUID that will generate a collision (example assumes there are already two existing users in the system):\n\n```ruby","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-65017","reference_id":"","reference_type":"","scores":[{"value":"0.00054","scoring_system":"epss","scoring_elements":"0.17321","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-65017"},{"reference_url":"https://github.com/decidim/decidim","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/decidim/decidim"},{"reference_url":"https://github.com/decidim/decidim/pull/13571","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-02-03T17:09:13Z/"}],"url":"https://github.com/decidim/decidim/pull/13571"},{"reference_url":"https://github.com/decidim/decidim/releases/tag/v0.30.4","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-02-03T17:09:13Z/"}],"url":"https://github.com/decidim/decidim/releases/tag/v0.30.4"},{"reference_url":"https://github.com/decidim/decidim/releases/tag/v0.31.0","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-02-03T17:09:13Z/"}],"url":"https://github.com/decidim/decidim/releases/tag/v0.31.0"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-65017","reference_id":"CVE-2025-65017","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-65017"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim-core/CVE-2025-65017.yml","reference_id":"CVE-2025-65017.YML","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim-core/CVE-2025-65017.yml"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2025-65017.yml","reference_id":"CVE-2025-65017.YML","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2025-65017.yml"},{"reference_url":"https://github.com/advisories/GHSA-3cx6-j9j4-54mp","reference_id":"GHSA-3cx6-j9j4-54mp","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3cx6-j9j4-54mp"},{"reference_url":"https://github.com/decidim/decidim/security/advisories/GHSA-3cx6-j9j4-54mp","reference_id":"GHSA-3cx6-j9j4-54mp","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-02-03T17:09:13Z/"}],"url":"https://github.com/decidim/decidim/security/advisories/GHSA-3cx6-j9j4-54mp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73815?format=json","purl":"pkg:gem/decidim@0.30.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-25zg-267g-w3cn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/decidim@0.30.4"},{"url":"http://public2.vulnerablecode.io/api/packages/173908?format=json","purl":"pkg:gem/decidim@0.31.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-25zg-267g-w3cn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/decidim@0.31.0"}],"aliases":["CVE-2025-65017","GHSA-3cx6-j9j4-54mp"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-25zg-267g-w3cn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51472?format=json","vulnerability_id":"VCID-nbaf-v9nk-fkbv","summary":"Decidim has a cross-site scripting vulnerability in the version control page\n### Impact\n\nThe version control feature used in resources is subject to potential\ncross-site scripting (XSS) attack through a malformed URL.\n\n### Workarounds\n\nNot available\n\n### References\n\nOWASP ASVS v4.0.3-5.1.3\n\n### Credits\n\nThis issue was discovered in a security audit organized by\n[Open Source Politics](https://opensourcepolitics.eu/)\nagainst Decidim done during July 2025.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-41673","reference_id":"","reference_type":"","scores":[{"value":"0.00416","scoring_system":"epss","scoring_elements":"0.62081","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-41673"},{"reference_url":"https://github.com/decidim/decidim","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/decidim/decidim"},{"reference_url":"https://github.com/decidim/decidim/commit/8a18c8b1ee85a1b35ee0d8d5893f218695d15637","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-01T17:47:16Z/"}],"url":"https://github.com/decidim/decidim/commit/8a18c8b1ee85a1b35ee0d8d5893f218695d15637"},{"reference_url":"https://github.com/decidim/decidim/security/advisories/GHSA-cc4g-m3g7-xmw8","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-01T17:47:16Z/"}],"url":"https://github.com/decidim/decidim/security/advisories/GHSA-cc4g-m3g7-xmw8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41673","reference_id":"CVE-2024-41673","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41673"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2024-41673.yml","reference_id":"CVE-2024-41673.YML","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2024-41673.yml"},{"reference_url":"https://github.com/advisories/GHSA-cc4g-m3g7-xmw8","reference_id":"GHSA-cc4g-m3g7-xmw8","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cc4g-m3g7-xmw8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/82817?format=json","purl":"pkg:gem/decidim@0.27.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-25zg-267g-w3cn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/decidim@0.27.8"}],"aliases":["CVE-2024-41673","GHSA-cc4g-m3g7-xmw8"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nbaf-v9nk-fkbv"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51473?format=json","vulnerability_id":"VCID-83y7-7krj-77ae","summary":"Decidim::Admin vulnerable to cross-site scripting (XSS) in the admin panel with QuillJS WYSWYG editor\n### Impact\nThe WYSWYG editor QuillJS is subject to potential XSS attach in\ncase the attacker manages to modify the HTML before being\nuploaded to the server.\n\nThe attacker is able to change e.g. to <svg onload=alert('XSS')>\nif they know how to craft these requests themselves.\n\n### Patches\nN/A\n\n### Workarounds\nReview the user accounts that have access to the admin panel (i.e.\ngeneral Administrators, and participatory space's Administrators)\nand remove access to them if they don't need it.\n\nDisable the \"Enable rich text editor for participants\" setting in\nthe admin dashboard.\n\n### References\nOWASP ASVS v4.0.3-5.1.3","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-39910","reference_id":"","reference_type":"","scores":[{"value":"0.00631","scoring_system":"epss","scoring_elements":"0.70737","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-39910"},{"reference_url":"https://github.com/decidim/decidim","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/decidim/decidim"},{"reference_url":"https://github.com/decidim/decidim/commit/47adca81cabea898005ec07b130b008f2a2be99f","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-16T19:57:51Z/"}],"url":"https://github.com/decidim/decidim/commit/47adca81cabea898005ec07b130b008f2a2be99f"},{"reference_url":"https://github.com/decidim/decidim/security/advisories/GHSA-vvqw-fqwx-mqmm","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3","scoring_elements":""},{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-16T19:57:51Z/"}],"url":"https://github.com/decidim/decidim/security/advisories/GHSA-vvqw-fqwx-mqmm"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39910","reference_id":"CVE-2024-39910","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39910"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2024-39910.yml","reference_id":"CVE-2024-39910.YML","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2024-39910.yml"},{"reference_url":"https://github.com/advisories/GHSA-vvqw-fqwx-mqmm","reference_id":"GHSA-vvqw-fqwx-mqmm","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vvqw-fqwx-mqmm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/82644?format=json","purl":"pkg:gem/decidim@0.27.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-25zg-267g-w3cn"},{"vulnerability":"VCID-nbaf-v9nk-fkbv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/decidim@0.27.7"}],"aliases":["CVE-2024-39910","GHSA-vvqw-fqwx-mqmm"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-83y7-7krj-77ae"}],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/decidim@0.27.7"}