GHSA-639h-86hw-qcjq

Suggest an improvement
Source
https://github.com/advisories/GHSA-639h-86hw-qcjq
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-639h-86hw-qcjq/GHSA-639h-86hw-qcjq.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-639h-86hw-qcjq
Aliases
Published
2023-10-05T20:52:46Z
Modified
2024-02-16T08:10:26.277696Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L CVSS Calculator
Summary
Decidim has broken access control in templates
Details

Impact

The templates module doesn't enforce the correct permissions, allowing any logged-in user to access to this functionality in the administration panel. An attacker could use this vulnerability to change, create or delete templates of surveys.

References

Affected packages

RubyGems / decidim

Package

Name
decidim
Purl
pkg:gem/decidim

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.23.2
Fixed
0.26.8

Affected versions

0.*

0.23.2
0.23.3
0.23.4
0.23.5
0.23.6
0.24.0.rc1
0.24.0.rc2
0.24.0
0.24.1
0.24.2
0.24.3
0.25.0.rc1
0.25.0.rc2
0.25.0.rc3
0.25.0.rc4
0.25.0
0.25.1
0.25.2
0.26.0.rc2
0.26.0
0.26.1
0.26.2
0.26.3
0.26.4
0.26.5
0.26.7

RubyGems / decidim-templates

Package

Name
decidim-templates
Purl
pkg:gem/decidim-templates

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.23.2
Fixed
0.26.8

Affected versions

0.*

0.23.2
0.23.3
0.23.4
0.23.5
0.23.6
0.24.0.rc1
0.24.0.rc2
0.24.0
0.24.1
0.24.2
0.24.3
0.25.0.rc1
0.25.0.rc2
0.25.0.rc3
0.25.0.rc4
0.25.0
0.25.1
0.25.2
0.26.0.rc1
0.26.0.rc2
0.26.0
0.26.1
0.26.2
0.26.3
0.26.4
0.26.5
0.26.7

RubyGems / decidim-templates

Package

Name
decidim-templates
Purl
pkg:gem/decidim-templates

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.27.0
Fixed
0.27.4

Affected versions

0.*

0.27.0
0.27.1
0.27.2
0.27.3

RubyGems / decidim

Package

Name
decidim
Purl
pkg:gem/decidim

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.27.0
Fixed
0.27.4

Affected versions

0.*

0.27.0
0.27.1
0.27.2
0.27.3