CVE-2023-32693
📋 TL;DR
CVE-2023-32693 is a cross-site scripting (XSS) vulnerability in Decidim's external link feature that allows remote attackers to execute JavaScript in logged-in users' browsers. This affects Decidim instances running vulnerable versions, potentially compromising user sessions and enabling unauthorized actions like endorsing proposals. Organizations using Decidim for participatory democracy platforms are at risk.
💻 Affected Systems
- Decidim
📦 What is this software?
Decidim by Decidim
Decidim by Decidim
⚠️ Risk & Real-World Impact
Worst Case
Attackers could hijack administrative sessions, manipulate voting systems, steal sensitive user data, deface websites, or redirect users to malicious sites.
Likely Case
Attackers will create malicious external links that trigger XSS payloads when clicked by logged-in users, potentially making users endorse proposals without their consent.
If Mitigated
With proper input validation and output encoding, the attack surface is limited, but unpatched systems remain vulnerable to social engineering attacks.
🎯 Exploit Status
Exploitation requires user interaction (clicking malicious links) but XSS payloads are straightforward to craft. No public exploit code is known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.26.7 or 0.27.3
Vendor Advisory: https://github.com/decidim/decidim/security/advisories/GHSA-469h-mqg8-535r
Restart Required: Yes
Instructions:
1. Backup your Decidim instance. 2. Update Gemfile to specify decidim version '~> 0.26.7' or '~> 0.27.3'. 3. Run 'bundle update decidim'. 4. Restart the Rails application server. 5. Verify the update with 'bundle show decidim'.
🔧 Temporary Workarounds
Disable External Links
allTemporarily disable or restrict the external link feature in Decidim configuration
Modify config/initializers/decidim.rb to disable external link components
Content Security Policy
allImplement strict CSP headers to block inline JavaScript execution
Add 'Content-Security-Policy: script-src 'self'' to web server configuration
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to detect and block XSS payloads in external links
- Monitor user activity logs for suspicious external link interactions and implement rate limiting
🔍 How to Verify
Check if Vulnerable:
Check Decidim version with 'bundle show decidim' or examine Gemfile.lock for decidim version below 0.26.7 or 0.27.3Check Version:
bundle show decidim | grep -o 'decidim ([0-9.]*)'Verify Fix Applied:
Confirm version is 0.26.7 or higher (for 0.26.x branch) or 0.27.3 or higher (for 0.27.x branch) using 'bundle show decidim'📡 Detection & Monitoring
Log Indicators:
- Unusual external link submissions with JavaScript payloads
- Multiple endorsement actions from single user sessions
- Suspicious referrer headers in access logs
Network Indicators:
- HTTP requests containing script tags in URL parameters
- Outbound connections to suspicious domains after clicking external links
SIEM Query:
source="web_access.log" AND (url="*<script>*" OR url="*javascript:*")🔗 References
- https://github.com/decidim/decidim/releases/tag/v0.26.7
- https://github.com/decidim/decidim/releases/tag/v0.27.3
- https://github.com/decidim/decidim/security/advisories/GHSA-469h-mqg8-535r
- https://github.com/decidim/decidim/releases/tag/v0.26.7
- https://github.com/decidim/decidim/releases/tag/v0.27.3
- https://github.com/decidim/decidim/security/advisories/GHSA-469h-mqg8-535r
