VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-12ay-hyhq-c3a4

Essentials
Severities (26)
References (10)
Severity details (24)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-12ay-hyhq-c3a4
Aliases	CVE-2023-51447 GHSA-9w99-78rj-hmxq
Summary	Decidim is a participatory democracy framework. Starting in version 0.27.0 and prior to versions 0.27.5 and 0.28.0, the dynamic file upload feature is subject to potential cross-site scripting attacks in case the attacker manages to modify the file names of the records being uploaded to the server. This appears in sections where the user controls the file upload dialogs themselves and has the technical knowledge to change the file names through the dynamic upload endpoint. Therefore I believe it would require the attacker to control the whole session of the particular user but in any case, this needs to be fixed. Successful exploit of this vulnerability would require the user to have successfully uploaded a file blob to the server with a malicious file name and then have the possibility to direct the other user to the edit page of the record where the attachment is attached. The users are able to craft the direct upload requests themselves controlling the file name that gets stored to the database. The attacker is able to change the filename e.g. to `<svg onload=alert('XSS')>` if they know how to craft these requests themselves. And then enter the returned blob ID to the form inputs manually by modifying the edit page source. Versions 0.27.5 and 0.28.0 contain a patch for this issue. As a workaround, disable dynamic uploads for the instance, e.g. from proposals.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00487	https://api.first.org/data/v1/epss?cve=CVE-2023-51447
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-9w99-78rj-hmxq
cvssv3.1	6.3	https://github.com/decidim/decidim
generic_textual	MODERATE	https://github.com/decidim/decidim
cvssv3.1	6.3	https://github.com/decidim/decidim/commit/aaf72787cf18beeeb6a771c1f7cbb7654b073423
generic_textual	MODERATE	https://github.com/decidim/decidim/commit/aaf72787cf18beeeb6a771c1f7cbb7654b073423
ssvc	Track	https://github.com/decidim/decidim/commit/aaf72787cf18beeeb6a771c1f7cbb7654b073423
cvssv3.1	6.3	https://github.com/decidim/decidim/pull/11612
generic_textual	MODERATE	https://github.com/decidim/decidim/pull/11612
ssvc	Track	https://github.com/decidim/decidim/pull/11612
cvssv3.1	6.3	https://github.com/decidim/decidim/releases/tag/v0.27.5
generic_textual	MODERATE	https://github.com/decidim/decidim/releases/tag/v0.27.5
ssvc	Track	https://github.com/decidim/decidim/releases/tag/v0.27.5
cvssv3.1	6.3	https://github.com/decidim/decidim/releases/tag/v0.28.0
generic_textual	MODERATE	https://github.com/decidim/decidim/releases/tag/v0.28.0
ssvc	Track	https://github.com/decidim/decidim/releases/tag/v0.28.0
cvssv3	6.3	https://github.com/decidim/decidim/security/advisories/GHSA-9w99-78rj-hmxq
cvssv3.1	6.3	https://github.com/decidim/decidim/security/advisories/GHSA-9w99-78rj-hmxq
cvssv3.1_qr	MODERATE	https://github.com/decidim/decidim/security/advisories/GHSA-9w99-78rj-hmxq
generic_textual	MODERATE	https://github.com/decidim/decidim/security/advisories/GHSA-9w99-78rj-hmxq
ssvc	Track	https://github.com/decidim/decidim/security/advisories/GHSA-9w99-78rj-hmxq
cvssv3.1	6.3	https://github.com/rails/rails/blob/a967d355c6fee9ad9b8bd115d43bc8b0fc207e7e/activestorage/app/controllers/active_storage/direct_uploads_controller.rb#L14
generic_textual	MODERATE	https://github.com/rails/rails/blob/a967d355c6fee9ad9b8bd115d43bc8b0fc207e7e/activestorage/app/controllers/active_storage/direct_uploads_controller.rb#L14
ssvc	Track	https://github.com/rails/rails/blob/a967d355c6fee9ad9b8bd115d43bc8b0fc207e7e/activestorage/app/controllers/active_storage/direct_uploads_controller.rb#L14
cvssv3.1	6.3	https://nvd.nist.gov/vuln/detail/CVE-2023-51447
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2023-51447

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2023-51447
		https://github.com/decidim/decidim
11612		https://github.com/decidim/decidim/pull/11612
aaf72787cf18beeeb6a771c1f7cbb7654b073423		https://github.com/decidim/decidim/commit/aaf72787cf18beeeb6a771c1f7cbb7654b073423
CVE-2023-51447		https://nvd.nist.gov/vuln/detail/CVE-2023-51447
direct_uploads_controller.rb#L14		https://github.com/rails/rails/blob/a967d355c6fee9ad9b8bd115d43bc8b0fc207e7e/activestorage/app/controllers/active_storage/direct_uploads_controller.rb#L14
GHSA-9w99-78rj-hmxq		https://github.com/advisories/GHSA-9w99-78rj-hmxq
GHSA-9w99-78rj-hmxq		https://github.com/decidim/decidim/security/advisories/GHSA-9w99-78rj-hmxq
v0.27.5		https://github.com/decidim/decidim/releases/tag/v0.27.5
v0.28.0		https://github.com/decidim/decidim/releases/tag/v0.28.0

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N Found at https://github.com/decidim/decidim

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N Found at https://github.com/decidim/decidim/commit/aaf72787cf18beeeb6a771c1f7cbb7654b073423

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-21T19:26:23Z/ Found at https://github.com/decidim/decidim/commit/aaf72787cf18beeeb6a771c1f7cbb7654b073423

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N Found at https://github.com/decidim/decidim/pull/11612

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-21T19:26:23Z/ Found at https://github.com/decidim/decidim/pull/11612

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N Found at https://github.com/decidim/decidim/releases/tag/v0.27.5

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-21T19:26:23Z/ Found at https://github.com/decidim/decidim/releases/tag/v0.27.5

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N Found at https://github.com/decidim/decidim/releases/tag/v0.28.0

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-21T19:26:23Z/ Found at https://github.com/decidim/decidim/releases/tag/v0.28.0

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N Found at https://github.com/decidim/decidim/security/advisories/GHSA-9w99-78rj-hmxq

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-21T19:26:23Z/ Found at https://github.com/decidim/decidim/security/advisories/GHSA-9w99-78rj-hmxq

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N Found at https://github.com/rails/rails/blob/a967d355c6fee9ad9b8bd115d43bc8b0fc207e7e/activestorage/app/controllers/active_storage/direct_uploads_controller.rb#L14

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-21T19:26:23Z/ Found at https://github.com/rails/rails/blob/a967d355c6fee9ad9b8bd115d43bc8b0fc207e7e/activestorage/app/controllers/active_storage/direct_uploads_controller.rb#L14

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-51447

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.65858
EPSS Score	0.00487
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-11T17:20:39.417941+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2023/51xxx/CVE-2023-51447.json	38.6.0