CVE-2023-36465
📋 TL;DR
This vulnerability in Decidim's templates module allows any authenticated user to access administrative template management functions, enabling unauthorized creation, modification, or deletion of survey templates. It affects Decidim installations with the templates module enabled. The high CVSS score reflects the potential for significant data manipulation by any logged-in user.
💻 Affected Systems
- Decidim
📦 What is this software?
Decidim by Decidim
Decidim by Decidim
⚠️ Risk & Real-World Impact
Worst Case
An attacker could delete or modify all survey templates, disrupting participatory democracy processes and potentially injecting malicious content into surveys used for official decision-making.
Likely Case
Authenticated users with malicious intent could manipulate survey templates to alter questions, responses, or survey logic, compromising data integrity and potentially influencing participatory outcomes.
If Mitigated
With proper access controls and monitoring, impact would be limited to unauthorized template access detection and audit trail creation without actual data manipulation.
🎯 Exploit Status
Exploitation requires valid user credentials but no special privileges. The vulnerability is in access control logic, making exploitation straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.26.8 or 0.27.4
Vendor Advisory: https://github.com/decidim/decidim/security/advisories/GHSA-639h-86hw-qcjq
Restart Required: Yes
Instructions:
1. Backup your Decidim installation and database. 2. Update Decidim to version 0.26.8 (for 0.26.x branch) or 0.27.4 (for 0.27.x branch). 3. Run bundle install to update dependencies. 4. Restart the application server. 5. Verify the templates module now enforces proper permissions.
🔧 Temporary Workarounds
Disable templates module
allTemporarily disable the vulnerable templates module until patching can be completed
# Edit Decidim configuration to disable templates module
# Specific method depends on your Decidim deployment configuration
Restrict admin panel access
linuxImplement network-level restrictions to limit access to the administration panel
# Use firewall rules to restrict /admin paths
# Example for nginx: location /admin { deny all; }
🧯 If You Can't Patch
- Implement strict access controls at the network level to limit who can reach the administration panel
- Enable detailed audit logging for all template-related actions and monitor for unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Check if your Decidim version is below 0.26.8 (for 0.26.x) or below 0.27.4 (for 0.27.x) and if the templates module is enabled in the administration panel.Check Version:
bundle exec rails runner "puts Decidim.version"Verify Fix Applied:
After updating, verify that non-admin users cannot access template management functions in the administration panel and that version shows as patched.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to /admin/templates endpoints
- Template creation/modification/deletion by non-admin users
- 403 Forbidden errors for template access by regular users
Network Indicators:
- HTTP requests to /admin/templates/* paths from non-admin user accounts
- POST/PUT/DELETE requests to template endpoints without proper authorization headers
SIEM Query:
source="decidim_logs" AND (uri_path="/admin/templates" OR uri_path CONTAINS "/admin/templates/") AND user_role!="admin"🔗 References
- https://github.com/decidim/decidim/releases/tag/v0.26.8
- https://github.com/decidim/decidim/releases/tag/v0.27.4
- https://github.com/decidim/decidim/security/advisories/GHSA-639h-86hw-qcjq
- https://github.com/decidim/decidim/releases/tag/v0.26.8
- https://github.com/decidim/decidim/releases/tag/v0.27.4
- https://github.com/decidim/decidim/security/advisories/GHSA-639h-86hw-qcjq
