From 7b6de198ad4c711ec94e2680a79806213d9e06b3 Mon Sep 17 00:00:00 2001
From: Al Snow <43523+jasnow@users.noreply.github.com>
Date: Wed, 2 Oct 2024 20:06:54 -0400
Subject: [PATCH] GHSA SYNC: 2 brand new advisories (#822)

---------

Co-authored-by: Postmodern <postmodern.mod3@gmail.com>
---
 gems/decidim/CVE-2024-41673.yml | 35 +++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 gems/decidim/CVE-2024-41673.yml

diff --git a/gems/decidim/CVE-2024-41673.yml b/gems/decidim/CVE-2024-41673.yml
new file mode 100644
index 0000000000..11a555d042
--- /dev/null
+++ b/gems/decidim/CVE-2024-41673.yml
@@ -0,0 +1,35 @@
+---
+gem: decidim
+cve: 2024-41673
+ghsa: cc4g-m3g7-xmw8
+url: https://github.com/decidim/decidim/security/advisories/GHSA-cc4g-m3g7-xmw8
+title: Decidim has a cross-site scripting vulnerability in the version control page
+date: 2024-10-01
+description: |
+  ### Impact
+
+  The version control feature used in resources is subject to potential
+  cross-site scripting (XSS) attack through a malformed URL.
+
+  ### Workarounds
+
+  Not available
+
+  ### References
+
+  OWASP ASVS v4.0.3-5.1.3
+
+  ### Credits
+
+  This issue was discovered in a security audit organized by
+  [Open Source Politics](https://opensourcepolitics.eu/)
+  against Decidim done during July 2025.
+cvss_v3: 7.1
+patched_versions:
+  - ">= 0.27.8"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-41673
+    - https://github.com/decidim/decidim/security/advisories/GHSA-cc4g-m3g7-xmw8
+    - https://github.com/decidim/decidim/commit/8a18c8b1ee85a1b35ee0d8d5893f218695d15637
+    - https://github.com/advisories/GHSA-cc4g-m3g7-xmw8