CVE-2023-34089: 
Ruby vulnerability analysis and mitigation

Decidim, a participatory democracy framework written in Ruby on Rails and originally developed for the Barcelona City government, was found to contain a Cross-site scripting (XSS) vulnerability in its processes filter feature. The vulnerability was discovered in versions 0.14.0 through 0.26.5, and versions 0.27.0 through 0.27.2, and was assigned CVE-2023-34089. The issue was patched in versions 0.27.3 and 0.26.7 (GitHub Advisory).

The vulnerability allows a remote attacker to execute JavaScript code in the context of a currently logged-in user through the processes filter feature. The severity of this vulnerability has been rated as HIGH with a CVSS v3.1 base score of 8.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N). The attack vector is network-based, with low attack complexity, requiring no privileges but needing user interaction (GitHub Advisory).

An attacker exploiting this vulnerability could execute arbitrary JavaScript code in the context of a logged-in user's session. This could be leveraged to make other users unknowingly endorse or support proposals they have no intention of supporting or endorsing, potentially compromising the integrity of the democratic participation process (GitHub Advisory).

The vulnerability has been fixed in versions 0.27.3 and 0.26.7. Organizations running affected versions should upgrade to these patched versions immediately to protect against potential exploitation (GitHub Advisory).