{"url":"http://public2.vulnerablecode.io/api/packages/168334?format=json","purl":"pkg:gem/decidim-templates@0.26.5","type":"gem","namespace":"","name":"decidim-templates","version":"0.26.5","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/46142?format=json","vulnerability_id":"VCID-en2n-zx4a-tbc9","summary":"Decidim has broken access control in templates\n### Impact\n\nThe `templates` module does not enforce the correct permissions, allowing any logged-in user to access to this functionality in the administration panel. An attacker could use this vulnerability to change, create or delete templates of surveys.","references":[{"reference_url":"https://github.com/decidim/decidim","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/decidim/decidim"},{"reference_url":"https://github.com/decidim/decidim/releases/tag/v0.26.8","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/decidim/decidim/releases/tag/v0.26.8"},{"reference_url":"https://github.com/decidim/decidim/releases/tag/v0.27.4","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/decidim/decidim/releases/tag/v0.27.4"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2023-36465.yml","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2023-36465.yml"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim-templates/CVE-2023-36465.yml","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim-templates/CVE-2023-36465.yml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-36465","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-36465"},{"reference_url":"https://github.com/advisories/GHSA-639h-86hw-qcjq","reference_id":"GHSA-639h-86hw-qcjq","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-639h-86hw-qcjq"},{"reference_url":"https://github.com/decidim/decidim/security/advisories/GHSA-639h-86hw-qcjq","reference_id":"GHSA-639h-86hw-qcjq","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/decidim/decidim/security/advisories/GHSA-639h-86hw-qcjq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/67179?format=json","purl":"pkg:gem/decidim-templates@0.26.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-en2n-zx4a-tbc9"},{"vulnerability":"VCID-ep6m-9wr9-8kgy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/decidim-templates@0.26.8"},{"url":"http://public2.vulnerablecode.io/api/packages/67180?format=json","purl":"pkg:gem/decidim-templates@0.27.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-en2n-zx4a-tbc9"},{"vulnerability":"VCID-ep6m-9wr9-8kgy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/decidim-templates@0.27.4"}],"aliases":["CVE-2023-36465","GHSA-639h-86hw-qcjq"],"risk_score":4.1,"exploitability":"0.5","weighted_severity":"8.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-en2n-zx4a-tbc9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47052?format=json","vulnerability_id":"VCID-ep6m-9wr9-8kgy","summary":"Server-Side Request Forgery (SSRF)\nDecidim is a participatory democracy framework. Starting in version 0.23.0 and prior to versions 0.27.5 and 0.28.0, the CSRF authenticity token check is disabled for the questionnaire templates preview. The issue does not imply a serious security thread as you need to have access also to the session cookie in order to see this resource. This URL does not allow modifying the resource but it may allow attackers to gain access to information which was not meant to be public. The issue is fixed in version 0.27.5 and 0.28.0. As a workaround, disable the templates functionality or remove all available templates.","references":[{"reference_url":"https://github.com/decidim/decidim","reference_id":"","reference_type":"","scores":[{"value":"4.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/decidim/decidim"},{"reference_url":"https://github.com/decidim/decidim/blob/3187bdfd40ea1c57c2c12512b09a7fec0b2bed08/decidim-templates/app/controllers/decidim/templates/admin/questionnaire_templates_controller.rb#L11","reference_id":"","reference_type":"","scores":[{"value":"4.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/decidim/decidim/blob/3187bdfd40ea1c57c2c12512b09a7fec0b2bed08/decidim-templates/app/controllers/decidim/templates/admin/questionnaire_templates_controller.rb#L11"},{"reference_url":"https://github.com/decidim/decidim/commit/5542227be66e3b6d7530f5b536069bce09376660","reference_id":"","reference_type":"","scores":[{"value":"4.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/decidim/decidim/commit/5542227be66e3b6d7530f5b536069bce09376660"},{"reference_url":"https://github.com/decidim/decidim/commit/57a4b467787448307b5d9b01ce6e2c8502e121ac","reference_id":"","reference_type":"","scores":[{"value":"4.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/decidim/decidim/commit/57a4b467787448307b5d9b01ce6e2c8502e121ac"},{"reference_url":"https://github.com/decidim/decidim/pull/11743","reference_id":"","reference_type":"","scores":[{"value":"4.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/decidim/decidim/pull/11743"},{"reference_url":"https://github.com/decidim/decidim/pull/6247","reference_id":"","reference_type":"","scores":[{"value":"4.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/decidim/decidim/pull/6247"},{"reference_url":"https://github.com/decidim/decidim/releases/tag/v0.27.5","reference_id":"","reference_type":"","scores":[{"value":"4.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/decidim/decidim/releases/tag/v0.27.5"},{"reference_url":"https://github.com/decidim/decidim/releases/tag/v0.28.0","reference_id":"","reference_type":"","scores":[{"value":"4.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/decidim/decidim/releases/tag/v0.28.0"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-47635","reference_id":"CVE-2023-47635","reference_type":"","scores":[{"value":"4.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-47635"},{"reference_url":"https://github.com/advisories/GHSA-f3qm-vfc3-jg6v","reference_id":"GHSA-f3qm-vfc3-jg6v","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-f3qm-vfc3-jg6v"},{"reference_url":"https://github.com/decidim/decidim/security/advisories/GHSA-f3qm-vfc3-jg6v","reference_id":"GHSA-f3qm-vfc3-jg6v","reference_type":"","scores":[{"value":"4.5","scoring_system":"cvssv3","scoring_elements":""},{"value":"4.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/decidim/decidim/security/advisories/GHSA-f3qm-vfc3-jg6v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/69034?format=json","purl":"pkg:gem/decidim-templates@0.27.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ep6m-9wr9-8kgy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/decidim-templates@0.27.5"}],"aliases":["CVE-2023-47635","GHSA-f3qm-vfc3-jg6v"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ep6m-9wr9-8kgy"}],"fixing_vulnerabilities":[],"risk_score":"4.1","resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/decidim-templates@0.26.5"}