CVE-2023-36465

06.10.2023, 12:15

Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The `templates` module doesn't enforce the correct permissions, allowing any logged-in user to access to this functionality in the administration panel. An attacker could use this vulnerability to change, create or delete templates of surveys. This issue has been patched in version 0.26.8 and 0.27.4.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	9.1 CRITICAL	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L
GitHub_M	CNA	9.1 CRITICAL	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 21%

Vendor	Product	Version
decidim	decidim	𝑥 < 0.26.8
decidim	decidim	0.27.0 ≤ 𝑥 < 0.27.4

𝑥

= Vulnerable software versions

Common Weakness Enumeration

References

https://github.com/decidim/decidim/releases/tag/v0.26.8

https://github.com/decidim/decidim/releases/tag/v0.27.4

https://github.com/decidim/decidim/security/advisories/GHSA-639h-86hw-qcjq

https://github.com/decidim/decidim/releases/tag/v0.26.8

https://github.com/decidim/decidim/releases/tag/v0.27.4

https://github.com/decidim/decidim/security/advisories/GHSA-639h-86hw-qcjq