CVE-2023-32693 – Decidim Cross-site Scripting vulnerability in the external link redirections

https://notcve.org/view.php?id=CVE-2023-32693

Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The external link feature is susceptible to cross-site scripting. This allows a remote attacker to execute JavaScript code in the context of a currently logged-in user. An attacker could use this vulnerability to make other users endorse or support proposals they have no intention of supporting or endorsing. The problem was patched in versions 0.27.3 and 0.26.7. • https://github.com/decidim/decidim/releases/tag/v0.26.7 https://github.com/decidim/decidim/releases/tag/v0.27.3 https://github.com/decidim/decidim/security/advisories/GHSA-469h-mqg8-535r • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •