CVE-2024-39910

Name of the Vulnerable Software and Affected Versions decidim versions prior to 0.27.7

Description The WYSWYG editor QuillJS in decidim is subject to potential XSS attacks if an attacker manages to modify the HTML before it is uploaded to the server. The attacker can change code, for example, to <svg onload=alert('XSS')> if they know how to craft these requests themselves.

Recommendations For versions prior to 0.27.7, upgrade to version 0.27.7. As a temporary workaround for users unable to upgrade, review the user accounts that have access to the admin panel and remove access to them if they don't need it. Disable the "Enable rich text editor for participants" setting in the admin dashboard.