VYPR
Get started
← All advisories
High severity7.1NVD Advisory· Published Oct 1, 2024· Updated Apr 15, 2026

CVE-2024-41673

CVE-2024-41673

Description

Decidim is a participatory democracy framework. The version control feature used in resources is subject to potential XSS attack through a malformed URL. This vulnerability is fixed in 0.27.8.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
decidimRubyGems
< 0.27.80.27.8

Patches

2
88a6de07b0dc
https://github.com/decidim/decidimvia osv
8a18c8b1ee85

Fix malformed URL in version control page (#13204)

https://github.com/decidim/decidimAndrés Pereira de LucenaJul 29, 2024via ghsa
commit
12 files changed · +54 6
  • decidim-accountability/app/views/decidim/accountability/versions/show.html.erb+1 1 modified
    @@ -9,7 +9,7 @@
   <%= cell(
     "decidim/version",
     current_version,
-    index: params[:id],
+    index: params[:id].to_i,
     versioned_resource: versioned_resource,
     versions_path: proc { url_for(action: :index) },
     i18n_scope: "decidim.accountability.results.show.stats"
  • decidim-accountability/spec/system/explore_versions_spec.rb+8 0 modified
    @@ -103,5 +103,13 @@
         end
       end
     end
+
+    context "when the version number is malformed" do
+      it "displays the page correctly" do
+        visit %{#{current_path}'XSS<script>alert('version')<%2Fscript>}
+
+        expect(page).to have_content("VERSION NUMBER\n2 out of 2")
+      end
+    end
   end
 end
  • decidim-core/app/cells/decidim/version_cell.rb+1 1 modified
    @@ -50,7 +50,7 @@ def i18n_version_created_at
     end
 
     def i18n(string, **params)
-      t(string, **params, scope: i18n_scope, default: t(string, **params, scope: default_i18n_scope))
+      decidim_html_escape(t(string, **params, scope: i18n_scope, default: t(string, **params, scope: default_i18n_scope)))
     end
 
     def i18n_scope
  • decidim-debates/app/views/decidim/debates/versions/show.html.erb+1 1 modified
    @@ -2,7 +2,7 @@
   <%= cell(
     "decidim/version",
     current_version,
-    index: params[:id],
+    index: params[:id].to_i,
     versioned_resource: versioned_resource,
     versions_path: proc { url_for(action: :index) },
     i18n_scope: "decidim.debates.debates.versions.debates"
  • decidim-debates/spec/system/debates_versions_spec.rb+8 0 modified
    @@ -102,6 +102,14 @@
         end
       end
     end
+
+    context "when the version number is malformed" do
+      it "displays the page correctly" do
+        visit %{#{current_path}'XSS<script>alert('version')<%2Fscript>}
+
+        expect(page).to have_content("VERSION NUMBER\n2 out of 2")
+      end
+    end
   end
 
   def update_debate
  • decidim-initiatives/app/views/decidim/initiatives/versions/show.html.erb+1 1 modified
    @@ -2,7 +2,7 @@
   <%= cell(
     "decidim/version",
     current_version,
-    index: params[:id],
+    index: params[:id].to_i,
     versioned_resource: versioned_resource,
     versions_path: proc { url_for(action: :index) },
     i18n_scope: "decidim.initiatives.versions.shared"
  • decidim-initiatives/spec/system/initiatives_versions_spec.rb+8 0 modified
    @@ -132,5 +132,13 @@
         end
       end
     end
+
+    context "when the version number is malformed" do
+      it "displays the page correctly" do
+        visit %{#{current_path}'XSS<script>alert('version')<%2Fscript>}
+
+        expect(page).to have_content("VERSION NUMBER\n2 out of 2")
+      end
+    end
   end
 end
  • decidim-meetings/app/views/decidim/meetings/versions/show.html.erb+1 1 modified
    @@ -2,7 +2,7 @@
   <%= cell(
     "decidim/version",
     current_version,
-    index: params[:id],
+    index: params[:id].to_i,
     versioned_resource: versioned_resource,
     versions_path: proc { url_for(action: :index) },
     i18n_scope: "decidim.meetings.versions"
  • decidim-meetings/spec/system/explore_versions_spec.rb+8 0 modified
    @@ -108,5 +108,13 @@
         end
       end
     end
+
+    context "when the version number is malformed" do
+      it "displays the page correctly" do
+        visit %{#{current_path}'XSS<script>alert('version')<%2Fscript>}
+
+        expect(page).to have_content("VERSION NUMBER\n2 out of 2")
+      end
+    end
   end
 end
  • decidim-proposals/app/views/decidim/proposals/versions/show.html.erb+1 1 modified
    @@ -10,7 +10,7 @@ end
   <%= cell(
     "decidim/version",
     current_version,
-    index: params[:id],
+    index: params[:id].to_i,
     versioned_resource: versioned_resource,
     versions_path: proc { url_for(action: :index) },
     i18n_scope: "decidim.proposals.versions.#{item_name.to_s.pluralize}"
  • decidim-proposals/spec/system/collaborative_drafts_versions_spec.rb+8 0 modified
    @@ -114,6 +114,14 @@
         end
       end
     end
+
+    context "when the version number is malformed" do
+      it "displays the page correctly" do
+        visit %{#{current_path}'XSS<script>alert('version')<%2Fscript>}
+
+        expect(page).to have_content("VERSION NUMBER\n2 out of 2")
+      end
+    end
   end
 
   context "when visiting the collaborative draft details" do
  • decidim-proposals/spec/system/proposals_versions_spec.rb+8 0 modified
    @@ -134,5 +134,13 @@
         end
       end
     end
+
+    context "when the version number is malformed" do
+      it "displays the page correctly" do
+        visit %{#{current_path}'XSS<script>alert('version')<%2Fscript>}
+
+        expect(page).to have_content("VERSION NUMBER\n2 out of 2")
+      end
+    end
   end
 end

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.