CVE-2023-36465 (decidim): Decidim has broken access control in templates

Decidim has broken access control in templates

Published: October 05, 2023

SECURITY IDENTIFIERS

CVE: CVE-2023-36465 (NVD)
GHSA: GHSA-639h-86hw-qcjq
Vendor Advisory: https://github.com/decidim/decidim/security/advisories/GHSA-639h-86hw-qcjq

GEM

decidim

SEVERITY

CVSS v3.x: 9.1 (Critical)

UNAFFECTED VERSIONS

< 0.23.2

PATCHED VERSIONS

~> 0.26.8 >= 0.27.4

DESCRIPTION

Impact

The templates module doesn't enforce the correct permissions, allowing any logged-in user to access to this functionality in the administration panel. An attacker could use this vulnerability to change, create or delete templates of surveys.

https://github.com/decidim/decidim/security/advisories/GHSA-639h-86hw-qcjq
https://github.com/decidim/decidim/releases/tag/v0.26.8
https://github.com/decidim/decidim/releases/tag/v0.27.4
https://github.com/advisories/GHSA-639h-86hw-qcjq

RubySec