Closing vulnerabilities in Decidim, a Ruby-based citizen participation platform

In May 2023, the Decidim platform, widely used for digital citizen participation by entities like New York City and the European Union, addressed two critical security vulnerabilities identified by GitHub Security Lab. These included a cross-site scripting (XSS) vulnerability, which allowed attackers to perform actions on behalf of logged-in users through manipulated external links, potentially tricking citizens into endorsing proposals. The second vulnerability involved data exfiltration, enabling unauthorized access to sensitive information stored in Decidim's databases, facilitated by the Ransack library's default settings. Both vulnerabilities were mitigated with updated releases, highlighting the importance of robust security measures in open-source software to maintain trust in participatory digital processes.