Lucene search

GitHub Advisory DatabaseGHSA-639H-86HW-QCJQ

HistoryOct 05, 2023 - 8:52 p.m.

Decidim has broken access control in templates

2023-10-0520:52:46

CWE-284

CWE-732

GitHub Advisory Database

github.com

decidim

broken access control

templates

administration panel

surveys.

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L

0.001 Low

EPSS

Percentile

22.0%

JSON

Impact

The templates module doesn’t enforce the correct permissions, allowing any logged-in user to access to this functionality in the administration panel. An attacker could use this vulnerability to change, create or delete templates of surveys.

Affected configurations

Vulners

Node

decidimdecidimRange<0.27.4

decidimdecidimRange<0.26.8

CPENameOperatorVersion
decidimlt0.27.4
decidim-templateslt0.27.4
decidim-templateslt0.26.8
decidimlt0.26.8

Name	Operator	Version
decidim	lt	0.27.4
decidim-templates	lt	0.27.4
decidim-templates	lt	0.26.8
decidim	lt	0.26.8

References

github.com/advisories/GHSA-639h-86hw-qcjq

github.com/decidim/decidim/releases/tag/v0.26.8

github.com/decidim/decidim/releases/tag/v0.27.4

github.com/decidim/decidim/security/advisories/GHSA-639h-86hw-qcjq

github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim-templates/CVE-2023-36465.yml

github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2023-36465.yml

nvd.nist.gov/vuln/detail/CVE-2023-36465