rubysec · postmodern · Oct 3, 2024 · Oct 1, 2024 · Oct 3, 2024
diff --git a/gems/decidim/CVE-2024-41673.yml b/gems/decidim/CVE-2024-41673.yml
@@ -0,0 +1,35 @@
+---
+gem: decidim
+cve: 2024-41673
+ghsa: cc4g-m3g7-xmw8
+url: https://github.com/decidim/decidim/security/advisories/GHSA-cc4g-m3g7-xmw8
+title: Decidim has a cross-site scripting vulnerability in the version control page
+date: 2024-10-01
+description: |
+  ### Impact
+
+  The version control feature used in resources is subject to potential
+  cross-site scripting (XSS) attack through a malformed URL.
+
+  ### Workarounds
+
+  Not available
+
+  ### References
+
+  OWASP ASVS v4.0.3-5.1.3
+
+  ### Credits
+
+  This issue was discovered in a security audit organized by
+  [Open Source Politics](https://opensourcepolitics.eu/)
+  against Decidim done during July 2025.
+cvss_v3: 7.1
+patched_versions:
+  - ">= 0.27.8"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-41673
+    - https://github.com/decidim/decidim/security/advisories/GHSA-cc4g-m3g7-xmw8
+    - https://github.com/decidim/decidim/commit/8a18c8b1ee85a1b35ee0d8d5893f218695d15637
+    - https://github.com/advisories/GHSA-cc4g-m3g7-xmw8