Decidim: HTML content blocks allow stored script execution
Description
A privileged admin user who can edit an affected landing page can store arbitrary HTML/JavaScript in anHTML block, and the public page renders it with html_safe and no output escaping.Technical description
This issue lets any admin who can edit an affected landing page store arbitrary HTML and JavaScript in anHTML block. The block is then rendered back through Decidim::ContentBlocks::HtmlCell#html_content without a sanitization boundary, so the script executes later in visitor's browsers.Impact
- A user with landing-page editing rights for an affected scope can persist JavaScript that executes in visitor's browsers on that page.
- Because exploitation already requires privileged administrative access, the practical risk is lower than a participant-controlled or unauthenticated stored XSS. It still creates a browser-execution primitive in a trusted admin-editable surface.
Patches
See https://github.com/decidim/decidim/pull/16451
Workarounds
Do not give admin permissions to non-trustful users.
Reference
Stored XSS
Credits
This issue was discovered in a security audit organized by the Decidim Association and made by Radically Open Security against Decidim financed by NGI.