Decidim has broken access control in templates
CVE-2023-36465

9.1CRITICAL

Key Information:

Vendor

Decidim

Status
Decidim
Vendor
CVE Published:
6 October 2023

What is CVE-2023-36465?

A security flaw in Decidim's templates module allows any logged-in user to access administrative functions without proper permission checks. This oversight enables malicious users to modify, create, or delete survey templates, potentially compromising the integrity of participatory democracy initiatives. The vulnerability has been addressed in the versions 0.26.8 and 0.27.4. It is crucial for users of Decidim to upgrade to these versions to mitigate the risk.

Affected Version(s)

decidim >= 0.23.2, < 0.26.8 < 0.23.2, 0.26.8

decidim >= 0.27.0, < 0.27.4 < 0.27.0, 0.27.4

References

https://github.com/decidim/decidim/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/decidim/decidim/releases/tag/v0.26.8
x_refsource_MISC
https://github.com/decidim/decidim/releases/tag/v0.27.4
x_refsource_MISC

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.