CVE-2023-51447: 
Ruby vulnerability analysis and mitigation

CVE-2023-51447 affects Decidim, a participatory democracy framework, specifically versions from 0.27.0 and prior to versions 0.27.5 and 0.28.0. The vulnerability was discovered during a security audit conducted by Deloitte Finland for the City of Helsinki in September 2023. The issue involves a potential cross-site scripting (XSS) vulnerability in the dynamic file upload feature (GitHub Advisory).

The vulnerability is classified as a cross-site scripting (XSS) issue (CWE-79) with a CVSS v3.1 score of 6.3 (Medium), having a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N. The issue exists in the dynamic file upload feature where attackers can potentially modify file names of records being uploaded to the server through the dynamic upload endpoint (NVD, GitHub Advisory).

If successfully exploited, the vulnerability allows attackers to execute cross-site scripting attacks by manipulating file names in uploaded content. This requires the attacker to have successfully uploaded a file blob to the server with a malicious file name and then direct another user to the edit page of the record where the attachment is attached (GitHub Advisory).

The vulnerability has been patched in versions 0.27.5 and 0.28.0. As a workaround, administrators can disable dynamic uploads for the instance, for example from proposals. The fix was implemented through PR #11612 for both 0.28.dev and 0.27.x versions (GitHub Advisory, Release Notes).