Decidim has broken access control in templates

GHSA-639h-86hw-qcjq · CVE-2023-36465

Published Oct 5, 2023 · Modified Feb 16, 2024

Description

Impact

The templates module doesn't enforce the correct permissions, allowing any logged-in user to access to this functionality in the administration panel. An attacker could use this vulnerability to change, create or delete templates of surveys.

References

WEB https://github.com/decidim/decidim/security/advisories/GHSA-639h-86hw-qcjq
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2023-36465
PACKAGE https://github.com/decidim/decidim
WEB https://github.com/decidim/decidim/releases/tag/v0.26.8
WEB https://github.com/decidim/decidim/releases/tag/v0.27.4
WEB https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim-templates/CVE-2023-36465.yml
WEB https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2023-36465.yml

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes