Updated advisory posts against rubysec/ruby-advisory-db@14ff883

rubysec · Oct 6, 2023 · a0b3012 · a0b3012
1 parent 3655abd
commit a0b3012
Showing 1 changed file with 34 additions and 0 deletions.
diff --git a/advisories/_posts/2023-10-05-CVE-2023-36465.md b/advisories/_posts/2023-10-05-CVE-2023-36465.md
@@ -0,0 +1,34 @@
+---
+layout: advisory
+title: 'CVE-2023-36465 (decidim): Decidim has broken access control in templates'
+comments: false
+categories:
+- decidim
+advisory:
+  gem: decidim
+  cve: 2023-36465
+  ghsa: 639h-86hw-qcjq
+  url: https://github.com/decidim/decidim/security/advisories/GHSA-639h-86hw-qcjq
+  title: Decidim has broken access control in templates
+  date: 2023-10-05
+  description: |
+    ### Impact
+
+    The `templates` module doesn't enforce the correct permissions,
+    allowing any logged-in user to access to this functionality in
+    the administration panel. An attacker could use this vulnerability
+    to change, create or delete templates of surveys.
+  cvss_v3: 9.1
+  unaffected_versions:
+  - "< 0.23.2"
+  patched_versions:
+  - "~> 0.26.8"
+  - ">= 0.27.4"
+  related:
+    url:
+    - https://github.com/decidim/decidim/security/advisories/GHSA-639h-86hw-qcjq
+    - https://github.com/decidim/decidim/releases/tag/v0.26.8
+    - https://github.com/decidim/decidim/releases/tag/v0.27.4
+    - https://github.com/advisories/GHSA-639h-86hw-qcjq
+  notes: No NVD url; No cvss_v2
+---