CVE-2023-47635
low-risk
Published 2024-02-20
Decidim is a participatory democracy framework. Starting in version 0.23.0 and prior to versions 0.27.5 and 0.28.0, the CSRF authenticity token check is disabled for the questionnaire templates preview. The issue does not imply a serious security thread as you need to have access also to the session cookie in order to see this resource. This URL does not allow modifying the resource but it may allow attackers to gain access to information which was not meant to be public. The issue is fixed in version 0.27.5 and 0.28.0. As a workaround, disable the templates functionality or remove all available templates.
Do I need to act?
-
0.10% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.5/10
Medium
NETWORK
/ LOW complexity
Affected Products (1)
Decidim
Affected Vendors
References (16)
Issue Tracking
https://github.com/decidim/decidim/pull/11743
Issue Tracking
https://github.com/decidim/decidim/pull/6247
Release Notes
https://github.com/decidim/decidim/releases/tag/v0.27.5
Release Notes
https://github.com/decidim/decidim/releases/tag/v0.28.0
Issue Tracking
https://github.com/decidim/decidim/pull/11743
Issue Tracking
https://github.com/decidim/decidim/pull/6247
Release Notes
https://github.com/decidim/decidim/releases/tag/v0.27.5
Release Notes
https://github.com/decidim/decidim/releases/tag/v0.28.0
24
/ 100
low-risk
Severity
19/34 · Moderate
Exploitability
0/34 · Minimal
Exposure
5/34 · Minimal