RubySec

Providing security resources for the Ruby community

CVE-2023-36465 (decidim): Decidim has broken access control in templates

ADVISORIES

GEM

decidim

SEVERITY

CVSS v3.x: 9.1 (Critical)

UNAFFECTED VERSIONS

  • < 0.23.2

PATCHED VERSIONS

  • ~> 0.26.8
  • >= 0.27.4

DESCRIPTION

Impact

The templates module doesn't enforce the correct permissions, allowing any logged-in user to access to this functionality in the administration panel. An attacker could use this vulnerability to change, create or delete templates of surveys.

RELATED