15 matches found
CVE-2023-47634
CVE-2023-47634 affects Decidim, a Ruby on Rails participatory democracy framework. The vulnerability is a race condition in the endorsement of resources (e.g., proposals) that can allow a user to submit more than one endorsement when multiple endorsement requests are sent in parallel. Affected ve...
CVE-2023-47635
CVE-2023-47635 concerns Decidim (Ruby on Rails) where the CSRF authenticity token check is disabled for the questionnaire templates preview in versions ≤ 0.27.4 and 0.28.0 before the fix. The risk is limited by the requirement that an attacker must also access the user session cookie to view the ...
CVE-2024-27095
CVE-2024-27095 affects the Decidim admin panel with a cross-site scripting (XSS) flaw that can be triggered when an attacker modifies records uploaded to the server. The issue is fixed in Decidim releases 0.27.6 and 0.28.1 (and related decidim-admin patches). Connected advisories consistently des...
CVE-2023-36465
Decidim (Ruby on Rails) has a broken access control in the templates module, allowing any logged-in user to access template management in the admin panel and to change, create, or delete survey templates. The issue is confirmed across multiple sources and has been patched in versions 0.26.8 and 0...
CVE-2023-51447
Decidim core is affected by a Cross-site Scripting (XSS) in the dynamic file upload feature. Affected versions are 0.27.0 up to but not including 0.27.5 and 0.28.0. The vulnerability arises when an attacker can modify the file names in the records uploaded to the server, exploiting the dynamic up...
CVE-2023-48220
Summary: CVE-2023-48220 affects Decidim and its related gems, via the devise_invitable integration. The issue permits an invited user to accept the invitation indefinitely through the password-reset flow because the code only checks that a user has been invited, not that the invitation is still w...
CVE-2023-34090
Summary: Decidim prior to 0.27.3 is affected by a data disclosure issue due to the Ransack filtering default behavior allowing all data attributes/associations to be queried, enabling an unauthenticated remote attacker to exfiltrate non-public data from the underlying database. Root cause: Miscon...
CVE-2024-45594
CVE-2024-45594 affects the Decidim framework, specifically the online/hybrid meeting embeds feature. A cross-site scripting (XSS) flaw can be triggered via a malformed URL in the meeting embeds code. The vulnerability is fixed in Decidim releases 0.28.3 and 0.29.0. If you use decidim-meetings, up...
CVE-2024-32034
Summary: CVE-2024-32034 is a cross-site scripting (XSS) vulnerability in the Decidim admin activity log when an admin assigns a valuator to a proposal or performs an action that creates an admin log with an XSS payload. Affected versions: Decidim before 0.27.7 and before 0.28.2 (with fixes in 0.2...
CVE-2023-32693
Summary: CVE-2023-32693 affects the Decidim framework (Ruby on Rails). The vulnerability is a Cross-Site Scripting flaw in the external link feature, allowing a remote attacker to execute JavaScript in the context of a logged-in user and potentially influence user endorsements of proposals. Affec...
CVE-2023-34089
CVE-2023-34089 affects Decidim (Ruby on Rails) where the processes filter feature is vulnerable to Cross-site scripting. The underlying issue allows a remote attacker to run JavaScript in the context of a logged-in user, potentially causing other users to endorse or support proposals. Patches are...
CVE-2024-39910
CVE-2024-39910 affects the decidim project where the WYSIWYG editor QuillJS in the admin panel is vulnerable to Cross-Site Scripting (XSS) when an attacker can craft HTML before upload. The concrete details across connected sources show an XSS path via editing HTML (e.g., injecting script-like pa...
CVE-2026-23891
Summary (CVE-2026-23891, Decidim) : A stored code execution vulnerability exists in the user name field for Decidim versions
CVE-2025-65017
Decidim’s private data export vulnerability (CVE-2025-65017) affects Decidim versions 0.30.0–0.30.3 and 0.31.0.rc1–0.31.0, where UUID generation can collide, leading to data leaks via private data exports. The root cause is UUID collision during export generation, enabling potential exposure of p...
CVE-2026-40869
CVE-2026-40869 — Decidim : Affected versions of the Decidim framework (starting from 0.19.0 up to, but not including, 0.30.5 and 0.31.1) allow any registered and authenticated user to accept or reject amendments. The vulnerability stems from insufficient permission checks in the amendment accepta...