CVE-2023-48220

CVSS 3.1 Score 7.4 of 10 (high)

Details

Published Feb 20, 2024
Updated: Dec 16, 2024
CWE ID 672

Summary

CVE-2023-48220: Decidim's participatory democracy framework, prior to version 2.0.9 of the `devise_invitable` gem, contains a vulnerability in which users can accept invitations for unlimited time through the password reset functionality. This issue affects versions 0.0.1.alpha3 and prior to 0.26.9, 0.27.5, and 0.28.0 of the `decidim`, `decidim-admin`, and `decidim-system` gems. The vulnerability lies in the `devise_invitable` gem, which fails to ensure the validity of pending invitations, disregarding their expiry period. Decidim sets this period to 2 weeks, but the code does not adhere to this configuration. As a workaround, administrators can manually cancel invitations from the database. The `devise_invitable` gem should be updated to version 2.0.9 or above to address this issue.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share