Securing Decidim: Addressing Vulnerabilities in a Ruby-based Citizen Participation Platform

The article highlights two security vulnerabilities in Decidim, a Ruby-based citizen participation platform, and how they were addressed by the Decidim team. The vulnerabilities were discovered by the GitHub Security Lab using CodeQL technology. One vulnerability was a cross-site scripting (XSS) vulnerability in Decidim's external link feature, which could have allowed attackers to perform actions on behalf of logged-in users. The second vulnerability allowed data exfiltration via query filters in Decidim instances with the meeting component enabled. Both vulnerabilities were fixed with update releases in May 2023. Decidim is widely used by government organizations, including New York City and the European Union, for digital citizen participation. The article emphasizes the importance of addressing vulnerabilities in open source projects and the impact it can have on the entire ecosystem. Developers using Decidim are advised to update to the latest version to ensure the security of their applications.