Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-jm79-9pm4-vrw9

GitHub Security Advisory

Decidim vulnerable to sensitive data disclosure

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

Note: added the actual report as a [comment](https://github.com/decidim/decidim/security/advisories/GHSA-jm79-9pm4-vrw9#advisory-comment-81110).

### Summary

Decidim, a platform for digital citizen participation, uses a third-party library named Ransack for filtering certain database collections (e.g., public meetings). By default, this library allows filtering on all data attributes and associations. This allows an unauthenticated remote attacker to exfiltrate non-public data from the underlying database of a Decidim instance (e.g., exfiltrating data from the user table).

### Impact
This issue may lead to Sensitive Data Disclosure.

### Patches
The problem was patched in [v0.27.3](https://github.com/decidim/decidim/releases/tag/v0.27.3).

### Workarounds
Disable or unpublish all meetings components from your application.

Affected Packages

RubyGems decidim
Affected versions: 0.27.0 (fixed in 0.27.3)
RubyGems decidim-meetings
Affected versions: 0.27.0 (fixed in 0.27.3)

Related CVEs

CVE-2023-34090

Key Information

GHSA ID
GHSA-jm79-9pm4-vrw9
Published
July 11, 2023 10:46 PM
Last Modified
July 11, 2023 10:46 PM
CVSS Score
7.5 /10
Primary Ecosystem
RubyGems
Primary Package
decidim
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 13, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.