GHSA-W3Q8-M492-4PWP Possibility to circumvent the invitation token expiry period

Impact The invites feature allows users to accept the invitation for an unlimited amount of time through the password reset functionality. When using the password reset functionality, the deviseinvitable gem always accepts the pending invitation if the user has been invited as shown in this piece...

Operation on a Resource after Expiration or Release

Overview Affected versions of this package are vulnerable to Operation on a Resource after Expiration or Release due to the password reset functionality. An attacker can accept an invitation for an unlimited amount of time by exploiting the lack of validation for the pending invitation's expiry...

Operation on a Resource after Expiration or Release

Overview Affected versions of this package are vulnerable to Operation on a Resource after Expiration or Release due to the password reset functionality. An attacker can accept an invitation for an unlimited amount of time by exploiting the lack of validation for the pending invitation's expiry...

PT-2024-13556 · Rubygems +2 · Devise Invitable +3

Name of the Vulnerable Software and Affected Versions: decidim versions 0.0.1.alpha3 through 0.26.8 decidim-admin versions 0.0.1.alpha3 through 0.26.8 decidim-system versions 0.0.1.alpha3 through 0.26.8 devise invitable versions 0.4.rc3 through 2.0.8 Description: The invites feature in the devise...