Decidim Stored XSS in User Name Field - Passive Code Execution Vector
A stored cross-site scripting (XSS) vulnerability in Decidim's user name field enables arbitrary code execution in victim browsers via passive comment page visits. This represents a critical stored XSS variant with cross-security-boundary impact.
CVE References
Affected
Vulnerability Analysis
Vulnerability Class & Root Cause: This is a stored (persistent) cross-site scripting vulnerability classified under OWASP ASVS 5.1.3 (Output Encoding and Injection Prevention). The root cause stems from inadequate input sanitization and/or output encoding in the user name field. When user-controlled data is stored in a database and later rendered on comment pages without proper HTML entity encoding or Content Security Policy (CSP) protections, malicious scripts persist and execute in the browsers of all users who view affected content.
Impact Assessment: The vulnerability crosses security boundaries, meaning attackers can compromise accounts and sessions far beyond their privilege level. A low-privileged attacker (regular user) can inject malicious payloads that execute in the context of administrators, moderators, or other users, leading to: session hijacking, account takeover, credential theft, malware distribution, defacement, and unauthorized administrative actions. The passive attack vector (victims need only view a comment page) significantly increases exploitation probability.
PoC Significance: The disclosed PoC demonstrates reliable, reproducible exploitation requiring only comment page navigation—no user interaction beyond passive browsing. This proves the vulnerability is not theoretical and affects the normal content-viewing workflow. The fact that it was discovered in an official security audit by reputable firms indicates high-confidence validation and likely broader affected versions.
Detection Guidance: Monitor for: (1) HTML special characters in user name fields appearing unencoded in page source (<, >, ", ', stored as literals rather than entities); (2) User names containing common XSS payloads (search logs for <script>, onerror=, onclick=, event handlers); (3) Anomalous JavaScript execution origins in browser console errors; (4) Unexpected DOM mutations when loading comment sections; (5) WAF logs showing stored payloads in user registration/profile update requests; (6) CSP violation reports if CSP is configured.
Mitigation Steps: (1) Immediate: Deploy input validation rejecting angle brackets, quotes, and event handler keywords in user name fields; (2) Short-term: Implement output encoding using HTML entity encoding (<, >, ", ') for all user name displays; (3) Comprehensive: Enable and enforce a strict Content Security Policy (default-src 'self'; script-src 'self') to prevent inline script execution; (4) Long-term: Update to patched Decidim version when available (currently marked N/A); (5) Database remediation: Audit existing user names for encoded payloads and sanitize historical data; (6) Testing: Add automated security regression tests validating HTML encoding in user-generated content rendering.
Risk Assessment: Exploitation likelihood in production is very high due to: passive attack vector, low barrier to entry (any registered user), high impact (account compromise), and visibility (comment sections are frequently accessed). This vulnerability will likely attract opportunistic threat actors, account takeover botnets, and coordinated attackers targeting participatory democracy platforms. Organizations running Decidim should treat this as a priority zero security incident requiring immediate remediation.
Sources