Home > Vulnerability Database > CVE-2023-34090

Mend.io Vulnerability Database

CVE-2023-34090

Good to know:

Date: July 11, 2023

Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. Decidim uses a third-party library named Ransack for filtering certain database collections (e.g., public meetings). By default, this library allows filtering on all data attributes and associations. This allows an unauthenticated remote attacker to exfiltrate non-public data from the underlying database of a Decidim instance (e.g., exfiltrating data from the user table). This issue may lead to Sensitive Data Disclosure. The problem was patched in version 0.27.3.

Language: Ruby

Severity Score

7.5

Related Resources (5)

Url: https://github.com/decidim/decidim/security/advisories/GHSA-jm79-9pm4-vrw9

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-34090

Url: https://github.com/decidim/decidim/security/advisories/GHSA-jm79-9pm4-vrw9#advisory-comment-81110

Url: https://github.com/decidim/decidim/releases/tag/v0.27.3

Url: https://www.mend.io/vulnerability-database/CVE-2023-34090

Severity Score

7.5

Weakness Type (CWE)

Information Leak / Disclosure

CWE-200

Insufficient Information

NVD-CWE-noinfo

Top Fix

Upgrade Version

Upgrade to version decidim - 0.27.3;decidim-core - 0.27.3

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-34090

Good to know:

Date: July 11, 2023

Language: Ruby

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?