VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-4bwy-byhe-77am

Essentials
Severities (34)
References (12)
Severity details (30)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-4bwy-byhe-77am
Aliases	CVE-2023-47635 GHSA-f3qm-vfc3-jg6v
Summary	Decidim is a participatory democracy framework. Starting in version 0.23.0 and prior to versions 0.27.5 and 0.28.0, the CSRF authenticity token check is disabled for the questionnaire templates preview. The issue does not imply a serious security thread as you need to have access also to the session cookie in order to see this resource. This URL does not allow modifying the resource but it may allow attackers to gain access to information which was not meant to be public. The issue is fixed in version 0.27.5 and 0.28.0. As a workaround, disable the templates functionality or remove all available templates.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-918	Server-Side Request Forgery (SSRF)
CWE-352	Cross-Site Request Forgery (CSRF)
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00105	https://api.first.org/data/v1/epss?cve=CVE-2023-47635
epss	0.00105	https://api.first.org/data/v1/epss?cve=CVE-2023-47635
epss	0.00105	https://api.first.org/data/v1/epss?cve=CVE-2023-47635
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-f3qm-vfc3-jg6v
cvssv3.1	4.5	https://github.com/decidim/decidim
generic_textual	MODERATE	https://github.com/decidim/decidim
cvssv3.1	4.5	https://github.com/decidim/decidim/blob/3187bdfd40ea1c57c2c12512b09a7fec0b2bed08/decidim-templates/app/controllers/decidim/templates/admin/questionnaire_templates_controller.rb#L11
generic_textual	MODERATE	https://github.com/decidim/decidim/blob/3187bdfd40ea1c57c2c12512b09a7fec0b2bed08/decidim-templates/app/controllers/decidim/templates/admin/questionnaire_templates_controller.rb#L11
ssvc	Track	https://github.com/decidim/decidim/blob/3187bdfd40ea1c57c2c12512b09a7fec0b2bed08/decidim-templates/app/controllers/decidim/templates/admin/questionnaire_templates_controller.rb#L11
cvssv3.1	4.5	https://github.com/decidim/decidim/commit/5542227be66e3b6d7530f5b536069bce09376660
generic_textual	MODERATE	https://github.com/decidim/decidim/commit/5542227be66e3b6d7530f5b536069bce09376660
ssvc	Track	https://github.com/decidim/decidim/commit/5542227be66e3b6d7530f5b536069bce09376660
cvssv3.1	4.5	https://github.com/decidim/decidim/commit/57a4b467787448307b5d9b01ce6e2c8502e121ac
generic_textual	MODERATE	https://github.com/decidim/decidim/commit/57a4b467787448307b5d9b01ce6e2c8502e121ac
ssvc	Track	https://github.com/decidim/decidim/commit/57a4b467787448307b5d9b01ce6e2c8502e121ac
cvssv3.1	4.5	https://github.com/decidim/decidim/pull/11743
generic_textual	MODERATE	https://github.com/decidim/decidim/pull/11743
ssvc	Track	https://github.com/decidim/decidim/pull/11743
cvssv3.1	4.5	https://github.com/decidim/decidim/pull/6247
generic_textual	MODERATE	https://github.com/decidim/decidim/pull/6247
ssvc	Track	https://github.com/decidim/decidim/pull/6247
cvssv3.1	4.5	https://github.com/decidim/decidim/releases/tag/v0.27.5
generic_textual	MODERATE	https://github.com/decidim/decidim/releases/tag/v0.27.5
ssvc	Track	https://github.com/decidim/decidim/releases/tag/v0.27.5
cvssv3.1	4.5	https://github.com/decidim/decidim/releases/tag/v0.28.0
generic_textual	MODERATE	https://github.com/decidim/decidim/releases/tag/v0.28.0
ssvc	Track	https://github.com/decidim/decidim/releases/tag/v0.28.0
cvssv3	4.5	https://github.com/decidim/decidim/security/advisories/GHSA-f3qm-vfc3-jg6v
cvssv3.1	4.5	https://github.com/decidim/decidim/security/advisories/GHSA-f3qm-vfc3-jg6v
cvssv3.1_qr	MODERATE	https://github.com/decidim/decidim/security/advisories/GHSA-f3qm-vfc3-jg6v
generic_textual	MODERATE	https://github.com/decidim/decidim/security/advisories/GHSA-f3qm-vfc3-jg6v
ssvc	Track	https://github.com/decidim/decidim/security/advisories/GHSA-f3qm-vfc3-jg6v
cvssv3.1	4.5	https://nvd.nist.gov/vuln/detail/CVE-2023-47635
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2023-47635

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2023-47635
		https://github.com/decidim/decidim
11743		https://github.com/decidim/decidim/pull/11743
5542227be66e3b6d7530f5b536069bce09376660		https://github.com/decidim/decidim/commit/5542227be66e3b6d7530f5b536069bce09376660
57a4b467787448307b5d9b01ce6e2c8502e121ac		https://github.com/decidim/decidim/commit/57a4b467787448307b5d9b01ce6e2c8502e121ac
6247		https://github.com/decidim/decidim/pull/6247
CVE-2023-47635		https://nvd.nist.gov/vuln/detail/CVE-2023-47635
GHSA-f3qm-vfc3-jg6v		https://github.com/advisories/GHSA-f3qm-vfc3-jg6v
GHSA-f3qm-vfc3-jg6v		https://github.com/decidim/decidim/security/advisories/GHSA-f3qm-vfc3-jg6v
questionnaire_templates_controller.rb#L11		https://github.com/decidim/decidim/blob/3187bdfd40ea1c57c2c12512b09a7fec0b2bed08/decidim-templates/app/controllers/decidim/templates/admin/questionnaire_templates_controller.rb#L11
v0.27.5		https://github.com/decidim/decidim/releases/tag/v0.27.5
v0.28.0		https://github.com/decidim/decidim/releases/tag/v0.28.0

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N Found at https://github.com/decidim/decidim

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N Found at https://github.com/decidim/decidim/blob/3187bdfd40ea1c57c2c12512b09a7fec0b2bed08/decidim-templates/app/controllers/decidim/templates/admin/questionnaire_templates_controller.rb#L11

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-22T13:23:33Z/ Found at https://github.com/decidim/decidim/blob/3187bdfd40ea1c57c2c12512b09a7fec0b2bed08/decidim-templates/app/controllers/decidim/templates/admin/questionnaire_templates_controller.rb#L11

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N Found at https://github.com/decidim/decidim/commit/5542227be66e3b6d7530f5b536069bce09376660

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-22T13:23:33Z/ Found at https://github.com/decidim/decidim/commit/5542227be66e3b6d7530f5b536069bce09376660

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N Found at https://github.com/decidim/decidim/commit/57a4b467787448307b5d9b01ce6e2c8502e121ac

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-22T13:23:33Z/ Found at https://github.com/decidim/decidim/commit/57a4b467787448307b5d9b01ce6e2c8502e121ac

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N Found at https://github.com/decidim/decidim/pull/11743

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-22T13:23:33Z/ Found at https://github.com/decidim/decidim/pull/11743

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N Found at https://github.com/decidim/decidim/pull/6247

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-22T13:23:33Z/ Found at https://github.com/decidim/decidim/pull/6247

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N Found at https://github.com/decidim/decidim/releases/tag/v0.27.5

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-22T13:23:33Z/ Found at https://github.com/decidim/decidim/releases/tag/v0.27.5

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N Found at https://github.com/decidim/decidim/releases/tag/v0.28.0

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-22T13:23:33Z/ Found at https://github.com/decidim/decidim/releases/tag/v0.28.0

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N Found at https://github.com/decidim/decidim/security/advisories/GHSA-f3qm-vfc3-jg6v

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-22T13:23:33Z/ Found at https://github.com/decidim/decidim/security/advisories/GHSA-f3qm-vfc3-jg6v

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-47635

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.2801
EPSS Score	0.00105
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-11T17:28:31.956784+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2023/47xxx/CVE-2023-47635.json	38.6.0