The `templates` module doesn't enforce the correct permissions, allowing any logged-in user to access to this functionality in the administration panel. An attacker could use this vulnerability to change, create or delete templates of surveys.

Affected Packages

RubyGems decidim

Affected versions: 0.23.2 (fixed in 0.26.8)

RubyGems decidim-templates

Affected versions: 0.23.2 (fixed in 0.26.8)

RubyGems decidim-templates

Affected versions: 0.27.0 (fixed in 0.27.4)

RubyGems decidim

Affected versions: 0.27.0 (fixed in 0.27.4)

Related CVEs

CVE-2023-36465

Key Information

GHSA ID

GHSA-639h-86hw-qcjq

Published

October 5, 2023 8:52 PM

Last Modified

October 13, 2023 10:47 PM

CVSS Score

7.5 /10

Primary Ecosystem

RubyGems

Primary Package

decidim

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 13, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.