Unlimited Time Acceptance of Invitations through Password Reset Functionality in Decidim Prior to Version 2.0.9 of the 'devise_invitable' Gem
CVE-2023-48220

5.7MEDIUM

Key Information:

Vendor

Decidim

Status
Decidim
Vendor
CVE Published:
20 February 2024

What is CVE-2023-48220?

A security issue exists in the Decidim participatory democracy framework, specifically linked to the use of the devise_invitable gem. The vulnerability allows users to accept invitations indefinitely through the password reset feature. This occurs because the system does not validate the expiration of pending invitations according to the configured expiry period, which is set to two weeks. As a result, invited users can exploit this flaw to maintain access beyond the intended time limit. Developers should upgrade the devise_invitable gem to version 2.0.9 or higher, which addresses this flaw, and ensure their Decidim installations are updated to include the necessary fixes in versions 0.26.9, 0.27.5, and 0.28.0.

Affected Version(s)

decidim >= 0.0.1.alpha3, < 0.26.9 < 0.0.1.alpha3, 0.26.9

decidim >= 0.27.0, < 0.27.5 < 0.27.0, 0.27.5

decidim >= 0.4.rc3, < 2.0.9 < 0.4.rc3, 2.0.9

References

https://github.com/decidim/decidim/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/decidim/decidim/commit/073e60e2e4224dd...
x_refsource_MISC
https://github.com/decidim/decidim/commit/b12800717a689c2...
x_refsource_MISC

CVSS V3.1

Score:
5.7
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.