ADVISORIES

• CVE-2023-47634 (NVD)
• GHSA-r275-j57c-7mf2
• Vendor Advisory

GEM

decidim

SEVERITY

CVSS v3.x: 3.1 (Low)

UNAFFECTED VERSIONS

• < 0.10.0

PATCHED VERSIONS

• ~> 0.26.9
• >= 0.27.5

DESCRIPTION

Impact

A race condition in the endorsement of resources (for instance, a proposal) allows a user to make more than once endorsement.

To exploit this vulnerability, the request to set an endorsement must be sent several times in parallel.

Workarounds

Disable the Endorsement feature in the components.

RELATED

• https://github.com/decidim/decidim/security/advisories/GHSA-r275-j57c-7mf2
• https://github.com/decidim/decidim/commit/5c5ee7a50d75c10643dd8c495e2517641e4d74db
• https://github.com/decidim/decidim/commit/7b840d2c37a562709f4481db644d8c43add28536
• https://github.com/advisories/GHSA-r275-j57c-7mf2