CVE-2024-32034: 
Ruby vulnerability analysis and mitigation

The vulnerability (CVE-2024-32034) affects Decidim, a Free Open-Source participatory democracy platform. The issue was discovered in the admin panel where Cross-site scripting (XSS) attacks are possible when an admin assigns a valuator to a proposal or performs other actions that generate admin activity logs where resources contain maliciously crafted XSS content. The vulnerability affects versions up to 0.27.6 and 0.28.1, and has been patched in versions 0.27.7, 0.28.2, and newer (Vendor Advisory).

The vulnerability is classified as a Cross-site Scripting (XSS) issue (CWE-79: Improper Neutralization of Input During Web Page Generation). It has received a CVSS v3.1 base score of 6.8 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N. This indicates that the vulnerability requires network access, low attack complexity, low privileges, and user interaction, with the potential to impact confidentiality but not integrity or availability (NVD).

The vulnerability allows attackers to execute cross-site scripting attacks through the admin panel, potentially compromising sensitive information when an administrator interacts with maliciously crafted content in the activity logs (Vendor Advisory).

The issue has been patched in versions 0.27.7, 0.28.2, and newer. Users are advised to upgrade to these versions. For those unable to upgrade immediately, a workaround is available by redirecting the /admin and /admin/logs pages to other admin pages (e.g., /admin/organization/edit) to prevent access to the vulnerable functionality (Vendor Advisory).