CVE-2023-36465
Summary
| CVE | CVE-2023-36465 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-10-06 12:15:00 UTC |
| Updated | 2023-10-11 18:30:00 UTC |
| Description | Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The `templates` module doesn't enforce the correct permissions, allowing any logged-in user to access to this functionality in the administration panel. An attacker could use this vulnerability to change, create or delete templates of surveys. This issue has been patched in version 0.26.8 and 0.27.4. |
Risk And Classification
Problem Types: CWE-732
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Release v0.26.8 · decidim/decidim · GitHub | MISC | github.com | |
| Release v0.27.4 · decidim/decidim · GitHub | MISC | github.com | |
| Broken access control in templates · Advisory · decidim/decidim · GitHub | MISC | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 995524 Rubygems (Rubygems) Security Update for decidim (GHSA-639h-86hw-qcjq)