CVE-2023-51447

Name of the Vulnerable Software and Affected Versions Decidim versions 0.27.0 through 0.27.4 Decidim versions prior to 0.28.0

Description The dynamic file upload feature in Decidim is subject to potential cross-site scripting attacks if an attacker can modify the file names of the records being uploaded to the server. This issue appears in sections where the user controls the file upload dialogs and has the technical knowledge to change the file names through the dynamic upload endpoint. Successful exploitation would require the user to upload a file blob to the server with a malicious file name and then direct another user to the edit page of the record where the attachment is attached. The attacker can change the filename, for example, to <svg onload=alert('XSS')>, if they know how to craft these requests themselves.

Recommendations For Decidim versions 0.27.0 through 0.27.4, update to version 0.27.5 or later. For Decidim versions prior to 0.28.0, update to version 0.28.0 or later. As a temporary workaround, consider disabling dynamic uploads for the instance, e.g., from proposals.