Search for packages
| purl | pkg:gem/decidim-templates@0.26.5 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-en2n-zx4a-tbc9
Aliases: CVE-2023-36465 GHSA-639h-86hw-qcjq |
Decidim has broken access control in templates ### Impact The `templates` module does not enforce the correct permissions, allowing any logged-in user to access to this functionality in the administration panel. An attacker could use this vulnerability to change, create or delete templates of surveys. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-ep6m-9wr9-8kgy
Aliases: CVE-2023-47635 GHSA-f3qm-vfc3-jg6v |
Server-Side Request Forgery (SSRF) Decidim is a participatory democracy framework. Starting in version 0.23.0 and prior to versions 0.27.5 and 0.28.0, the CSRF authenticity token check is disabled for the questionnaire templates preview. The issue does not imply a serious security thread as you need to have access also to the session cookie in order to see this resource. This URL does not allow modifying the resource but it may allow attackers to gain access to information which was not meant to be public. The issue is fixed in version 0.27.5 and 0.28.0. As a workaround, disable the templates functionality or remove all available templates. |
Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-04T18:14:44.989201+00:00 | Ruby Importer | Affected by | VCID-ep6m-9wr9-8kgy | https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim-templates/CVE-2023-47635.yml | 38.6.0 |
| 2026-06-04T18:14:28.909056+00:00 | Ruby Importer | Affected by | VCID-en2n-zx4a-tbc9 | https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim-templates/CVE-2023-36465.yml | 38.6.0 |