<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Decidim-Core - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/decidim-core/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/decidim-core/feed.xml" rel="self" type="application/rss+xml"/><item><title>Decidim Amendment Acceptance Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2024-01-decidim-amendment-vuln/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-decidim-amendment-vuln/</guid><description>An authentication bypass vulnerability in Decidim allows any registered user to accept or reject amendments, potentially granting them co-author status on affected proposals; versions 0.19.0 through 0.30.5 and 0.31.0.rc1 through 0.31.1 are affected.</description><content:encoded><![CDATA[<p>Decidim is an open-source participatory democracy framework. A vulnerability exists within Decidim versions 0.19.0 through 0.30.5 and 0.31.0.rc1 through 0.31.1 where any authenticated user can accept or reject amendments to proposals, regardless of their authorization. This issue stems from insufficient permission checks when handling amendment reactions within the affected Decidim components. Successful exploitation allows an attacker to manipulate proposal content and gain co-author status, potentially influencing the outcome of participatory processes. There are currently no patches available; the identified workaround involves disabling amendment reactions for components using the amendable feature. This vulnerability was reported on GitHub as GHSA-w5xj-99cg-rccm.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker registers an account on the Decidim platform.</li>
<li>Attacker authenticates to the Decidim platform with their registered account.</li>
<li>Attacker identifies a proposal with the amendments feature enabled.</li>
<li>Attacker crafts a malicious HTTP request to the <code>/amendments/{amendment_id}/accept</code> or <code>/amendments/{amendment_id}/reject</code> endpoint.</li>
<li>The Decidim application processes the request without proper authorization checks due to the vulnerability in <code>decidim/permissions.rb</code>.</li>
<li>The amendment is accepted or rejected based on the attacker's request.</li>
<li>If the amendment is accepted, the attacker is granted co-author status on the proposal.</li>
<li>Attacker leverages co-author status to influence or control the proposal.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This vulnerability can compromise the integrity of participatory processes managed by Decidim. By exploiting the vulnerability, an attacker can manipulate proposals and gain undue influence, potentially undermining the democratic process. Impacts can range from subtle alterations of proposal content to complete control over proposal outcomes. The number of affected proposals depends on the number of Decidim installations using the vulnerable versions and having the amendment feature enabled.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the provided workaround by disabling amendment reactions for the amendable component (e.g., proposals) to mitigate the vulnerability until a patch is available (reference: Workarounds section).</li>
<li>Monitor Decidim application logs for suspicious activity related to amendment acceptance/rejection actions originating from unauthorized users. Implement a detection rule focusing on HTTP POST requests to <code>/amendments/{amendment_id}/accept</code> and <code>/amendments/{amendment_id}/reject</code> (reference: Sigma rule - Decidim Suspicious Amendment Activity).</li>
<li>Upgrade to a patched version of Decidim-core once available to remediate the vulnerability. Check the Decidim release notes for updates (reference: Affected Packages section).</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>decidim</category><category>authentication-bypass</category><category>privilege-escalation</category><category>web-application</category></item></channel></rss>