CVE-2023-36465

Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The `templates` module doesn't enforce the correct permissions, allowing any logged-in user to access to this functionality in the administration panel. An attacker could use this vulnerability to change, create or delete templates of surveys. This issue has been patched in version 0.26.8 and 0.27.4.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:decidim:decidim:*:*:*:*:*:ruby:*:*
cpe:2.3:a:decidim:decidim:*:*:*:*:*:ruby:*:*

History

11 Oct 2023, 18:30

Type Values Removed Values Added
CWE CWE-284 CWE-732
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.1
First Time Decidim
Decidim decidim
CPE cpe:2.3:a:decidim:decidim:*:*:*:*:*:ruby:*:*
References (MISC) https://github.com/decidim/decidim/releases/tag/v0.26.8 - (MISC) https://github.com/decidim/decidim/releases/tag/v0.26.8 - Release Notes
References (MISC) https://github.com/decidim/decidim/security/advisories/GHSA-639h-86hw-qcjq - (MISC) https://github.com/decidim/decidim/security/advisories/GHSA-639h-86hw-qcjq - Vendor Advisory
References (MISC) https://github.com/decidim/decidim/releases/tag/v0.27.4 - (MISC) https://github.com/decidim/decidim/releases/tag/v0.27.4 - Release Notes

06 Oct 2023, 12:48

Type Values Removed Values Added
New CVE

Information

Published : 2023-10-06 12:15

Updated : 2024-02-28 20:33


NVD link : CVE-2023-36465

Mitre link : CVE-2023-36465

CVE.ORG link : CVE-2023-36465


JSON object : View

Products Affected

decidim

  • decidim
CWE
CWE-732

Incorrect Permission Assignment for Critical Resource

CWE-284

Improper Access Control