Ctrgrb

**Name of the Vulnerable Software and Affected Versions** decidim versions 0.0.1.alpha3 through 0.26.8 decidim-admin versions 0.0.1.alpha3 through 0.26.8 decidim-system versions 0.0.1.alpha3 through 0.26.8 devise invitable versions 0.4.rc3 through 2.0.8 **Description** The invites feature in the `devise invitable` gem allows users to accept invitations for an unlimited amount of time through the password reset functionality. This issue creates vulnerable dependencies in the `decidim`, `decidim-admin`, and `decidim-system` gems. When using the password reset functionality, the `devise invitable` gem always accepts the pending invitation if the user has been invited, without ensuring that the pending invitation is still valid as defined by the `invite for` expiry period. Decidim sets this configuration to `2.weeks`, which should be respected. **Recommendations** For decidim versions 0.0.1.alpha3 through 0.26.8, update to version 0.26.9 or above. For decidim-admin versions 0.0.1.alpha3 through 0.26.8, update to version 0.26.9 or above. For decidim-system versions 0.0.1.alpha3 through 0.26.8, update to version 0.26.9 or above. For devise invitable versions 0.4.rc3 through 2.0.8, update to version 2.0.9 or above. As a temporary workaround, invitations can be cancelled directly from the database by running the command: Decidim::User.invitation not accepted.update all(invitation token: nil)

**Name of the Vulnerable Software and Affected Versions** Decidim versions 0.27.0 through 0.27.4 Decidim versions prior to 0.28.0 **Description** The dynamic file upload feature in Decidim is subject to potential cross-site scripting attacks if an attacker can modify the file names of the records being uploaded to the server. This issue appears in sections where the user controls the file upload dialogs and has the technical knowledge to change the file names through the dynamic upload endpoint. Successful exploitation would require the user to upload a file blob to the server with a malicious file name and then direct another user to the edit page of the record where the attachment is attached. The attacker can change the filename, for example, to `<svg onload=alert('XSS')>`, if they know how to craft these requests themselves. **Recommendations** For Decidim versions 0.27.0 through 0.27.4, update to version 0.27.5 or later. For Decidim versions prior to 0.28.0, update to version 0.28.0 or later. As a temporary workaround, consider disabling dynamic uploads for the instance, e.g., from proposals.