{"id":"CVE-2023-32693","summary":"Decidim Cross-site Scripting vulnerability in the external link redirections","details":"Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The external link feature is susceptible to cross-site scripting. This allows a remote attacker to execute JavaScript code in the context of a currently logged-in user. An attacker could use this vulnerability to make other users endorse or support proposals they have no intention of supporting or endorsing. The problem was patched in versions 0.27.3 and 0.26.7.","aliases":["GHSA-469h-mqg8-535r"],"modified":"2026-03-14T12:08:42.725180Z","published":"2023-07-11T17:19:26.138Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/32xxx/CVE-2023-32693.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-79"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/32xxx/CVE-2023-32693.json"},{"type":"WEB","url":"https://github.com/decidim/decidim/releases/tag/v0.26.7"},{"type":"WEB","url":"https://github.com/decidim/decidim/releases/tag/v0.27.3"},{"type":"ADVISORY","url":"https://github.com/decidim/decidim/security/advisories/GHSA-469h-mqg8-535r"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-32693"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/decidim/decidim","events":[{"introduced":"297096130e1a09bd2cf8e4a7ac5e2b73ee61a5db"},{"fixed":"0988ce9db54da0485a7ae5094b4b99fa2b153b45"}],"database_specific":{"versions":[{"introduced":"0.25.0"},{"fixed":"0.26.7"}]}},{"type":"GIT","repo":"https://github.com/decidim/decidim","events":[{"introduced":"fcac16c9eed35c9ca0ac30a3be7b962881aa06ee"},{"fixed":"073a7d779d22458c3bb1d5b4aa6b3e41f85c338f"}],"database_specific":{"versions":[{"introduced":"0.27.0"},{"fixed":"0.27.3"}]}}],"versions":["v0.27.0","v0.27.1","v0.27.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-32693.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"}]}