Patrick Himler

**Name of the Vulnerable Software and Affected Versions** Decidim versions prior to 0.27.6 Decidim versions prior to 0.28.1 **Description** The pagination feature used in searches and filters is subject to potential XSS attack through a malformed URL using the GET parameter `per page`. This issue was discovered in a security audit organized by the mitgestalten Partizipationsbüro and funded by netidee against Decidim done during April 2024. **Recommendations** For Decidim versions prior to 0.27.6, update to version 0.27.6 or later to fix the vulnerability. For Decidim versions prior to 0.28.1, update to version 0.28.1 or later to fix the vulnerability. As a temporary workaround, consider restricting access to the `per page` parameter in the affected API endpoint until a patch is available.