CVE-2024-32469
HIGHDecidim < 0.27.6 and 0.28.0.rc1-0.28.1 - Cross-Site Scripting via Pagination GET Parameter
Title source: llmDescription
Decidim is a participatory democracy framework. The pagination feature used in searches and filters is subject to potential XSS attack through a malformed URL using the GET parameter `per_page`. This vulnerability is fixed in 0.27.6 and 0.28.1.
References (3)
Core 3
Core References
Release Notes x_refsource_misc
https://github.com/decidim/decidim/releases/tag/v0.27.6
Release Notes x_refsource_misc
https://github.com/decidim/decidim/releases/tag/v0.28.1
Vendor Advisory x_refsource_confirm
https://github.com/decidim/decidim/security/advisories/GHSA-7cx8-44pc-xv3q
Scores
CVSS v3
7.1
EPSS
0.0049
EPSS Percentile
65.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (3)
decidim/decidim
< 0.27.6
decidim/decidim
>= 0.28.0.rc1, < 0.28.1
rubygems/decidim
0 - 0.27.6RubyGems
Published
Jul 10, 2024
Tracked Since
Feb 18, 2026