CVE-2024-41673: 
Ruby vulnerability analysis and mitigation

Decidim, a participatory democracy framework, was found to contain a Cross-Site Scripting (XSS) vulnerability in its version control feature. The vulnerability, identified as CVE-2024-41673, was discovered during a security audit organized by Open Source Politics in July 2025. The issue affects versions up to and including 0.27.7 and has been fixed in version 0.27.8 (GitHub Advisory).

The vulnerability allows potential XSS attacks through a malformed URL in the version control feature. The issue has been assigned a CVSS v3.1 base score of 7.1 (High), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N. This indicates that the vulnerability is network-accessible, requires low attack complexity, needs no privileges, but does require user interaction. The scope is unchanged, with high impact on confidentiality, low impact on integrity, and no impact on availability (GitHub Advisory).

The vulnerability can lead to unauthorized access to sensitive information and potential manipulation of data through cross-site scripting attacks. The CVSS scoring indicates high impact on data confidentiality and low impact on data integrity, while system availability remains unaffected (GitHub Advisory).

The vulnerability has been patched in Decidim version 0.27.8. Users are advised to upgrade to this version to protect against potential XSS attacks. No workarounds have been provided for users who cannot immediately upgrade (GitHub Advisory).