Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-w3q8-m492-4pwp

GitHub Security Advisory

Possibility to circumvent the invitation token expiry period

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

### Impact
The invites feature allows users to accept the invitation for an unlimited amount of time through the password reset functionality.

When using the password reset functionality, the `devise_invitable` gem always accepts the pending invitation if the user has been invited as shown in this piece of code within the `devise_invitable` gem:
https://github.com/scambra/devise_invitable/blob/41f58970ff76fb64382a9b9ea1bd530f7c3adab2/lib/devise_invitable/models.rb#L198

The only check done here is if the user has been invited but the code does not ensure that the pending invitation is still valid as defined by the `invite_for` expiry period as explained in the gem's documentation:
https://github.com/scambra/devise_invitable#model-configuration-

> `invite_for`: The period the generated invitation token is valid. After this period, the invited resource won’t be able to accept the invitation. When `invite_for` is `0` (the default), the invitation won’t expire.

Decidim sets this configuration to `2.weeks` so this configuration should be respected:
https://github.com/decidim/decidim/blob/d2d390578050772d1bdb6d731395f1afc39dcbfc/decidim-core/config/initializers/devise.rb#L134

The bug is in the `devise_invitable` gem and should be fixed there and the dependency should be upgraded in Decidim once the fix becomes available.

### Patches
Update `devise_invitable` to version `2.0.9` or above by running the following command:

```
$ bundle update devise_invitable
```

### Workarounds
The invitations can be cancelled directly from the database by running the following command from the Rails console:

```
> Decidim::User.invitation_not_accepted.update_all(invitation_token: nil)
```

### References
OWASP ASVS V4.0.3-2.3.1

This bug has existed in the `devise_invitable` gem since this commit which was first included in the `v0.4.rc3` release of this gem:
https://github.com/scambra/devise_invitable/commit/94d859c7de0829bf63f679ae5dd3cab2b866a098

All versions since then are affected.

This gem was first introduced at its version `~> 1.7.0` to the `decidim-admin` gem in this commit which was first included in the `v0.0.1.alpha3` release of Decidim:
https://github.com/decidim/decidim/commit/073e60e2e4224dd81815a784002ebba30f2ebb34

It was first introduced at its version `~> 1.7.0` to the `decidim-system` gem in this commit which was also first included in the `v0.0.1.alpha3` release of Decidim:
https://github.com/decidim/decidim/commit/b12800717a689c295a9ea680a38ca9f823d2c454

### Credits
This issue was discovered in City of Helsinki's security audit against Decidim 0.27 done during September 2023. The security audit was implemented by [Deloitte Finland](https://www2.deloitte.com/fi/fi.html).

Affected Packages

RubyGems decidim
Affected versions: 0.0.1.alpha3 (fixed in 0.26.9)
RubyGems decidim-admin
Affected versions: 0.0.1.alpha3 (fixed in 0.26.9)
RubyGems decidim-system
Affected versions: 0.0.1.alpha3 (fixed in 0.26.9)
RubyGems devise_invitable
Affected versions: 0.4.rc3 (fixed in 2.0.9)
RubyGems decidim
Affected versions: 0.27.0 (fixed in 0.27.5)
RubyGems decidim-admin
Affected versions: 0.27.0 (fixed in 0.27.5)
RubyGems decidim-system
Affected versions: 0.27.0 (fixed in 0.27.5)

Related CVEs

CVE-2023-48220

Key Information

GHSA ID
GHSA-w3q8-m492-4pwp
Published
February 20, 2024 7:26 PM
Last Modified
February 20, 2024 7:26 PM
CVSS Score
5.0 /10
Primary Ecosystem
RubyGems
Primary Package
decidim
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 13, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.