{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/decidim-core/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Decidim-core"],"_cs_severities":["high"],"_cs_tags":["decidim","authentication-bypass","privilege-escalation","web-application"],"_cs_type":"advisory","_cs_vendors":["Decidim"],"content_html":"\u003cp\u003eDecidim is an open-source participatory democracy framework. A vulnerability exists within Decidim versions 0.19.0 through 0.30.5 and 0.31.0.rc1 through 0.31.1 where any authenticated user can accept or reject amendments to proposals, regardless of their authorization. This issue stems from insufficient permission checks when handling amendment reactions within the affected Decidim components. Successful exploitation allows an attacker to manipulate proposal content and gain co-author status, potentially influencing the outcome of participatory processes. There are currently no patches available; the identified workaround involves disabling amendment reactions for components using the amendable feature. This vulnerability was reported on GitHub as GHSA-w5xj-99cg-rccm.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker registers an account on the Decidim platform.\u003c/li\u003e\n\u003cli\u003eAttacker authenticates to the Decidim platform with their registered account.\u003c/li\u003e\n\u003cli\u003eAttacker identifies a proposal with the amendments feature enabled.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP request to the \u003ccode\u003e/amendments/{amendment_id}/accept\u003c/code\u003e or \u003ccode\u003e/amendments/{amendment_id}/reject\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe Decidim application processes the request without proper authorization checks due to the vulnerability in \u003ccode\u003edecidim/permissions.rb\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe amendment is accepted or rejected based on the attacker's request.\u003c/li\u003e\n\u003cli\u003eIf the amendment is accepted, the attacker is granted co-author status on the proposal.\u003c/li\u003e\n\u003cli\u003eAttacker leverages co-author status to influence or control the proposal.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability can compromise the integrity of participatory processes managed by Decidim. By exploiting the vulnerability, an attacker can manipulate proposals and gain undue influence, potentially undermining the democratic process. Impacts can range from subtle alterations of proposal content to complete control over proposal outcomes. The number of affected proposals depends on the number of Decidim installations using the vulnerable versions and having the amendment feature enabled.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the provided workaround by disabling amendment reactions for the amendable component (e.g., proposals) to mitigate the vulnerability until a patch is available (reference: Workarounds section).\u003c/li\u003e\n\u003cli\u003eMonitor Decidim application logs for suspicious activity related to amendment acceptance/rejection actions originating from unauthorized users. Implement a detection rule focusing on HTTP POST requests to \u003ccode\u003e/amendments/{amendment_id}/accept\u003c/code\u003e and \u003ccode\u003e/amendments/{amendment_id}/reject\u003c/code\u003e (reference: Sigma rule - Decidim Suspicious Amendment Activity).\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of Decidim-core once available to remediate the vulnerability. Check the Decidim release notes for updates (reference: Affected Packages section).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-decidim-amendment-vuln/","summary":"An authentication bypass vulnerability in Decidim allows any registered user to accept or reject amendments, potentially granting them co-author status on affected proposals; versions 0.19.0 through 0.30.5 and 0.31.0.rc1 through 0.31.1 are affected.","title":"Decidim Amendment Acceptance Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-decidim-amendment-vuln/"}],"language":"en","title":"CraftedSignal Threat Feed - Decidim-Core","version":"https://jsonfeed.org/version/1.1"}