Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2024-41673

CVE-2024-41673: Decidim Framework XSS Vulnerability

CVE-2024-41673 is a cross-site scripting flaw in Decidim's version control feature that allows XSS attacks through malformed URLs. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2024-41673 Overview

CVE-2024-41673 is a stored/reflected cross-site scripting (XSS) vulnerability in Decidim, an open-source participatory democracy framework built on Ruby on Rails. The version control feature used in resources fails to properly sanitize input derived from a malformed URL, allowing an attacker to inject executable JavaScript into pages rendered by the application. The issue is tracked under CWE-79 and resolved in Decidim version 0.27.8.

Critical Impact

An attacker can craft a malicious URL that, when followed by a victim, executes arbitrary script in the victim's browser session, enabling session theft, content manipulation, or actions performed under the victim's identity.

Affected Products

  • Decidim participatory democracy framework versions prior to 0.27.8
  • Decidim Accountability module (decidim-accountability)
  • Decidim Core version control cell (decidim-core)

Discovery Timeline

  • 2024-10-01 - CVE-2024-41673 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-41673

Vulnerability Analysis

The vulnerability resides in the version control feature used by Decidim resources, specifically the views and cells responsible for rendering historical versions of accountability results. The versions/show.html.erb template passed the params[:id] value directly into a rendered cell, and the version_cell.rb helper translated strings without escaping HTML. An attacker who supplies a malformed id parameter can break out of expected rendering and inject HTML or JavaScript into the response.

Because the injection occurs in a public-facing democratic participation platform, the attack surface includes voters, proposal authors, and platform administrators. Successful exploitation requires the victim to follow an attacker-supplied link, after which the script runs in the origin of the Decidim instance.

Root Cause

Two defects combine to produce the XSS condition. First, the controller-supplied params[:id] was forwarded to a view cell without type coercion, so non-integer values reached downstream rendering logic. Second, the i18n helper inside Decidim::VersionCell invoked t(...) and embedded the result without applying HTML escaping, allowing interpolated values to be treated as markup.

Attack Vector

Exploitation is network-based and requires user interaction. An attacker crafts a URL targeting the version control endpoint of a Decidim resource, embeds a payload in the id segment, and delivers the link to victims through messaging, social posts, or forum content within the Decidim site itself.

ruby
# Patch in decidim-accountability/app/views/decidim/accountability/versions/show.html.erb
# Coerces the id parameter to integer before passing to the cell
   <%= cell(
     "decidim/version",
     current_version,
-    index: params[:id],
+    index: params[:id].to_i,
     versioned_resource: versioned_resource,
     versions_path: proc { url_for(action: :index) },
     i18n_scope: "decidim.accountability.results.show.stats"
# Source: https://github.com/decidim/decidim/commit/8a18c8b1ee85a1b35ee0d8d5893f218695d15637
ruby
# Patch in decidim-core/app/cells/decidim/version_cell.rb
# Wraps translated output with decidim_html_escape to neutralize markup
    def i18n(string, **params)
-      t(string, **params, scope: i18n_scope, default: t(string, **params, scope: default_i18n_scope))
+      decidim_html_escape(t(string, **params, scope: i18n_scope, default: t(string, **params, scope: default_i18n_scope)))
    end
# Source: https://github.com/decidim/decidim/commit/8a18c8b1ee85a1b35ee0d8d5893f218695d15637

Detection Methods for CVE-2024-41673

Indicators of Compromise

  • Requests to /accountability/results/*/versions/* paths where the id segment contains non-numeric characters, HTML tags, or URL-encoded script payloads.
  • HTTP referrers pointing to externally crafted links that redirect users into version control views.
  • Browser console errors or unexpected script execution reported by Decidim users after clicking shared links.

Detection Strategies

  • Inspect web server and Rails application logs for versions#show requests with malformed id parameters that fail integer coercion.
  • Deploy a web application firewall rule that flags or blocks requests containing <script, onerror=, javascript:, or URL-encoded equivalents in the version control path.
  • Review Content Security Policy (CSP) violation reports for inline script execution originating from version control pages.

Monitoring Recommendations

  • Aggregate Rails application logs and alert on anomalous parameter shapes for the accountability versions endpoint.
  • Monitor user reports and moderator queues for links shared on the platform that target the vulnerable route.
  • Track outbound requests from authenticated user sessions for signs of session token exfiltration following link clicks.

How to Mitigate CVE-2024-41673

Immediate Actions Required

  • Upgrade all Decidim deployments to version 0.27.8 or later, which includes the official fix.
  • Audit Decidim instances for the presence of the decidim-accountability module and confirm the patched commit 8a18c8b is applied.
  • Invalidate active sessions and rotate any administrative credentials if suspicious version control traffic is observed.

Patch Information

The upstream fix is published in GitHub Security Advisory GHSA-cc4g-m3g7-xmw8 and applied in commit 8a18c8b. The patch coerces the id parameter to an integer in the accountability versions view and wraps i18n output in decidim_html_escape inside the version cell.

Workarounds

  • If immediate upgrade is not possible, restrict access to the accountability versions routes with reverse-proxy rules that validate the id segment matches ^[0-9]+$.
  • Enforce a strict Content Security Policy that disallows inline scripts and unsafe-eval to reduce the impact of injected payloads.
  • Disable or hide the accountability module on instances that do not actively use it until the patched version is deployed.
bash
# Example nginx location block restricting the version id to integers
location ~ ^/accountability/results/[0-9]+/versions/([^/]+)$ {
    if ($1 !~ ^[0-9]+$) {
        return 400;
    }
    proxy_pass http://decidim_upstream;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.