CVE-2023-36465

EUVD-2023-2663

06.10.2023, 12:15

Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The `templates` module doesn't enforce the correct permissions, allowing any logged-in user to access to this functionality in the administration panel. An attacker could use this vulnerability to change, create or delete templates of surveys. This issue has been patched in version 0.26.8 and 0.27.4.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.1 CRITICAL	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L
GitHub_M	CNA	9.1 CRITICAL	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: 21%

Affected Products (NVD)

Vendor	Product	Version
decidim	decidim	𝑥 < 0.26.8
decidim	decidim	0.27.0 ≤ 𝑥 < 0.27.4

𝑥

= Vulnerable software versions

Common Weakness Enumeration

References

https://github.com/decidim/decidim/releases/tag/v0.26.8

https://github.com/decidim/decidim/releases/tag/v0.27.4

https://github.com/decidim/decidim/security/advisories/GHSA-639h-86hw-qcjq

https://github.com/decidim/decidim/releases/tag/v0.26.8

https://github.com/decidim/decidim/releases/tag/v0.27.4

https://github.com/decidim/decidim/security/advisories/GHSA-639h-86hw-qcjq