Decidim has a cross-site scripting (XSS) in user name

### Impact A stored code execution vulnerability in the user name field allows a low-privileged attacker to execute arbitrary code in the context of any user who passively visits a comment page, resulting in high confidentiality and integrity impact across security boundaries. ### Patches N/A ### Workarounds Not available ### References OWASP ASVS v4.0.3-5.1.3 ### Credits This issue was discovered in a security audit organized by [octree](https://octree.ch/) and made by [Secu Labs](https://seculabs.ch/) against Decidim financed by the city of Lausanne (Switzerland). Source Code Location: https://github.com/decidim/decidim Affected Packages: - rubygems:decidim-core, affected >= 0.31.0.rc1, < 0.31.0, patched in 0.31.1 - rubygems:decidim-core, affected < 0.30.5, patched in 0.30.5 CWEs: - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVSS: - CVSS_V4: score 9.3, CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L References: - https://github.com/decidim/decidim/security/advisories/GHSA-fc46-r95f-hq7g - https://github.com/decidim/decidim/releases/tag/v0.30.5 - https://github.com/decidim/decidim/releases/tag/v0.31.1 - https://github.com/advisories/GHSA-fc46-r95f-hq7g