CVE-2024-41673 Overview
CVE-2024-41673 is a stored/reflected cross-site scripting (XSS) vulnerability in Decidim, an open-source participatory democracy framework built on Ruby on Rails. The version control feature used in resources fails to properly sanitize input derived from a malformed URL, allowing an attacker to inject executable JavaScript into pages rendered by the application. The issue is tracked under CWE-79 and resolved in Decidim version 0.27.8.
Critical Impact
An attacker can craft a malicious URL that, when followed by a victim, executes arbitrary script in the victim's browser session, enabling session theft, content manipulation, or actions performed under the victim's identity.
Affected Products
- Decidim participatory democracy framework versions prior to 0.27.8
- Decidim Accountability module (decidim-accountability)
- Decidim Core version control cell (decidim-core)
Discovery Timeline
- 2024-10-01 - CVE-2024-41673 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2024-41673
Vulnerability Analysis
The vulnerability resides in the version control feature used by Decidim resources, specifically the views and cells responsible for rendering historical versions of accountability results. The versions/show.html.erb template passed the params[:id] value directly into a rendered cell, and the version_cell.rb helper translated strings without escaping HTML. An attacker who supplies a malformed id parameter can break out of expected rendering and inject HTML or JavaScript into the response.
Because the injection occurs in a public-facing democratic participation platform, the attack surface includes voters, proposal authors, and platform administrators. Successful exploitation requires the victim to follow an attacker-supplied link, after which the script runs in the origin of the Decidim instance.
Root Cause
Two defects combine to produce the XSS condition. First, the controller-supplied params[:id] was forwarded to a view cell without type coercion, so non-integer values reached downstream rendering logic. Second, the i18n helper inside Decidim::VersionCell invoked t(...) and embedded the result without applying HTML escaping, allowing interpolated values to be treated as markup.
Attack Vector
Exploitation is network-based and requires user interaction. An attacker crafts a URL targeting the version control endpoint of a Decidim resource, embeds a payload in the id segment, and delivers the link to victims through messaging, social posts, or forum content within the Decidim site itself.
# Patch in decidim-accountability/app/views/decidim/accountability/versions/show.html.erb
# Coerces the id parameter to integer before passing to the cell
<%= cell(
"decidim/version",
current_version,
- index: params[:id],
+ index: params[:id].to_i,
versioned_resource: versioned_resource,
versions_path: proc { url_for(action: :index) },
i18n_scope: "decidim.accountability.results.show.stats"
# Source: https://github.com/decidim/decidim/commit/8a18c8b1ee85a1b35ee0d8d5893f218695d15637
# Patch in decidim-core/app/cells/decidim/version_cell.rb
# Wraps translated output with decidim_html_escape to neutralize markup
def i18n(string, **params)
- t(string, **params, scope: i18n_scope, default: t(string, **params, scope: default_i18n_scope))
+ decidim_html_escape(t(string, **params, scope: i18n_scope, default: t(string, **params, scope: default_i18n_scope)))
end
# Source: https://github.com/decidim/decidim/commit/8a18c8b1ee85a1b35ee0d8d5893f218695d15637
Detection Methods for CVE-2024-41673
Indicators of Compromise
- Requests to /accountability/results/*/versions/* paths where the id segment contains non-numeric characters, HTML tags, or URL-encoded script payloads.
- HTTP referrers pointing to externally crafted links that redirect users into version control views.
- Browser console errors or unexpected script execution reported by Decidim users after clicking shared links.
Detection Strategies
- Inspect web server and Rails application logs for versions#show requests with malformed id parameters that fail integer coercion.
- Deploy a web application firewall rule that flags or blocks requests containing <script, onerror=, javascript:, or URL-encoded equivalents in the version control path.
- Review Content Security Policy (CSP) violation reports for inline script execution originating from version control pages.
Monitoring Recommendations
- Aggregate Rails application logs and alert on anomalous parameter shapes for the accountability versions endpoint.
- Monitor user reports and moderator queues for links shared on the platform that target the vulnerable route.
- Track outbound requests from authenticated user sessions for signs of session token exfiltration following link clicks.
How to Mitigate CVE-2024-41673
Immediate Actions Required
- Upgrade all Decidim deployments to version 0.27.8 or later, which includes the official fix.
- Audit Decidim instances for the presence of the decidim-accountability module and confirm the patched commit 8a18c8b is applied.
- Invalidate active sessions and rotate any administrative credentials if suspicious version control traffic is observed.
Patch Information
The upstream fix is published in GitHub Security Advisory GHSA-cc4g-m3g7-xmw8 and applied in commit 8a18c8b. The patch coerces the id parameter to an integer in the accountability versions view and wraps i18n output in decidim_html_escape inside the version cell.
Workarounds
- If immediate upgrade is not possible, restrict access to the accountability versions routes with reverse-proxy rules that validate the id segment matches ^[0-9]+$.
- Enforce a strict Content Security Policy that disallows inline scripts and unsafe-eval to reduce the impact of injected payloads.
- Disable or hide the accountability module on instances that do not actively use it until the patched version is deployed.
# Example nginx location block restricting the version id to integers
location ~ ^/accountability/results/[0-9]+/versions/([^/]+)$ {
if ($1 !~ ^[0-9]+$) {
return 400;
}
proxy_pass http://decidim_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

