CVE-2024-32469

Name of the Vulnerable Software and Affected Versions Decidim versions prior to 0.27.6 Decidim versions prior to 0.28.1

Description The pagination feature used in searches and filters is subject to potential XSS attack through a malformed URL using the GET parameter per page. This issue was discovered in a security audit organized by the mitgestalten Partizipationsbüro and funded by netidee against Decidim done during April 2024.

Recommendations For Decidim versions prior to 0.27.6, update to version 0.27.6 or later to fix the vulnerability. For Decidim versions prior to 0.28.1, update to version 0.28.1 or later to fix the vulnerability. As a temporary workaround, consider restricting access to the per page parameter in the affected API endpoint until a patch is available.