Lucene search
+L
DecidimDecidim

15 matches found

cve
cve
added 2024/02/20 4:37 p.m.85 views

CVE-2023-47634

CVE-2023-47634 affects Decidim, a Ruby on Rails participatory democracy framework. The vulnerability is a race condition in the endorsement of resources (e.g., proposals) that can allow a user to submit more than one endorsement when multiple endorsement requests are sent in parallel. Affected ve...

3.1CVSS3.5AI score0.00444EPSS
cve
cve
added 2024/02/20 4:45 p.m.82 views

CVE-2023-47635

CVE-2023-47635 concerns Decidim (Ruby on Rails) where the CSRF authenticity token check is disabled for the questionnaire templates preview in versions ≤ 0.27.4 and 0.28.0 before the fix. The risk is limited by the requirement that an attacker must also access the user session cookie to view the ...

5.7CVSS4.6AI score0.00313EPSS
cve
cve
added 2024/07/10 7:7 p.m.80 views

CVE-2024-27095

CVE-2024-27095 affects the Decidim admin panel with a cross-site scripting (XSS) flaw that can be triggered when an attacker modifies records uploaded to the server. The issue is fixed in Decidim releases 0.27.6 and 0.28.1 (and related decidim-admin patches). Connected advisories consistently des...

5.4CVSS4.8AI score0.00341EPSS
cve
cve
added 2023/10/06 11:56 a.m.71 views

CVE-2023-36465

Decidim (Ruby on Rails) has a broken access control in the templates module, allowing any logged-in user to access template management in the admin panel and to change, create, or delete survey templates. The issue is confirmed across multiple sources and has been patched in versions 0.26.8 and 0...

9.1CVSS6.9AI score0.00541EPSS
cve
cve
added 2024/02/20 5:29 p.m.71 views

CVE-2023-51447

Decidim core is affected by a Cross-site Scripting (XSS) in the dynamic file upload feature. Affected versions are 0.27.0 up to but not including 0.27.5 and 0.28.0. The vulnerability arises when an attacker can modify the file names in the records uploaded to the server, exploiting the dynamic up...

6.3CVSS5.9AI score0.00493EPSS
cve
cve
added 2024/02/20 5:24 p.m.68 views

CVE-2023-48220

Summary: CVE-2023-48220 affects Decidim and its related gems, via the devise_invitable integration. The issue permits an invited user to accept the invitation indefinitely through the password-reset flow because the code only checks that a user has been invited, not that the invitation is still w...

7.4CVSS5.6AI score0.00791EPSS
cve
cve
added 2023/07/11 5:29 p.m.57 views

CVE-2023-34090

Summary: Decidim prior to 0.27.3 is affected by a data disclosure issue due to the Ransack filtering default behavior allowing all data attributes/associations to be queried, enabling an unauthenticated remote attacker to exfiltrate non-public data from the underlying database. Root cause: Miscon...

7.5CVSS7.4AI score0.0125EPSS
cve
cve
added 2024/11/13 4:21 p.m.56 views

CVE-2024-45594

CVE-2024-45594 affects the Decidim framework, specifically the online/hybrid meeting embeds feature. A cross-site scripting (XSS) flaw can be triggered via a malformed URL in the meeting embeds code. The vulnerability is fixed in Decidim releases 0.28.3 and 0.29.0. If you use decidim-meetings, up...

7.7CVSS7.2AI score0.00243EPSS
cve
cve
added 2024/09/16 6:38 p.m.55 views

CVE-2024-32034

Summary: CVE-2024-32034 is a cross-site scripting (XSS) vulnerability in the Decidim admin activity log when an admin assigns a valuator to a proposal or performs an action that creates an admin log with an XSS payload. Affected versions: Decidim before 0.27.7 and before 0.28.2 (with fixes in 0.2...

6.8CVSS5.5AI score0.00353EPSS
cve
cve
added 2023/07/11 5:19 p.m.53 views

CVE-2023-32693

Summary: CVE-2023-32693 affects the Decidim framework (Ruby on Rails). The vulnerability is a Cross-Site Scripting flaw in the external link feature, allowing a remote attacker to execute JavaScript in the context of a logged-in user and potentially influence user endorsements of proposals. Affec...

8.1CVSS6.6AI score0.00816EPSS
cve
cve
added 2023/07/11 5:36 p.m.53 views

CVE-2023-34089

CVE-2023-34089 affects Decidim (Ruby on Rails) where the processes filter feature is vulnerable to Cross-site scripting. The underlying issue allows a remote attacker to run JavaScript in the context of a logged-in user, potentially causing other users to endorse or support proposals. Patches are...

8.1CVSS6.8AI score0.00736EPSS
cve
cve
added 2024/09/16 6:38 p.m.31 views

CVE-2024-39910

CVE-2024-39910 affects the decidim project where the WYSIWYG editor QuillJS in the admin panel is vulnerable to Cross-Site Scripting (XSS) when an attacker can craft HTML before upload. The concrete details across connected sources show an XSS path via editing HTML (e.g., injecting script-like pa...

5.4CVSS4.9AI score0.0026EPSS
cve
cve
added 2026/04/13 4:52 p.m.23 views

CVE-2026-23891

Summary (CVE-2026-23891, Decidim) : A stored code execution vulnerability exists in the user name field for Decidim versions

9.3CVSS6.5AI score0.00356EPSS
cve
cve
added 2026/02/03 3:5 p.m.14 views

CVE-2025-65017

Decidim’s private data export vulnerability (CVE-2025-65017) affects Decidim versions 0.30.0–0.30.3 and 0.31.0.rc1–0.31.0, where UUID generation can collide, leading to data leaks via private data exports. The root cause is UUID collision during export generation, enabling potential exposure of p...

8.2CVSS5.3AI score0.00262EPSS
cve
cve
added 2026/04/21 7:8 p.m.10 views

CVE-2026-40869

CVE-2026-40869 — Decidim : Affected versions of the Decidim framework (starting from 0.19.0 up to, but not including, 0.30.5 and 0.31.1) allow any registered and authenticated user to accept or reject amendments. The vulnerability stems from insufficient permission checks in the amendment accepta...

7.5CVSS5.8AI score0.00223EPSS