Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2023-34090

Good to know:

icon

Date: July 11, 2023

Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. Decidim uses a third-party library named Ransack for filtering certain database collections (e.g., public meetings). By default, this library allows filtering on all data attributes and associations. This allows an unauthenticated remote attacker to exfiltrate non-public data from the underlying database of a Decidim instance (e.g., exfiltrating data from the user table). This issue may lead to Sensitive Data Disclosure. The problem was patched in version 0.27.3.

Language: Ruby

Severity Score

Related Resources (8)

https://github.com/decidim/decidim/security/advisories/GHSA-jm79-9pm4-vrw9
https://nvd.nist.gov/vuln/detail/CVE-2023-34090
https://github.com/decidim/decidim/security/advisories/GHSA-jm79-9pm4-vrw9#advisory-comment-81110
https://github.com/decidim/decidim/releases/tag/v0.27.3
https://github.com/decidim/decidim
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim-meetings/CVE-2023-34090.yml
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2023-34090.yml
https://www.mend.io/vulnerability-database/CVE-2023-34090

Severity Score

Weakness Type (CWE)

Information Leak / Disclosure

CWE-200

Insufficient Information

NVD-CWE-noinfo

Top Fix

icon

Upgrade Version

Upgrade to version decidim - 0.27.3;decidim-core - 0.27.3

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): NONE
Availability (A): NONE

Do you need more information?

Contact Us