CVE-2023-48220

CVE-2023-48220 is a medium-severity vulnerability in Decidim with a CVSS 3.x base score of 5.7. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-672.

Key facts

Description

Decidim is a participatory democracy framework. Starting in version 0.4.rc3 and prior to version 2.0.9 of the `devise_invitable` gem, the invites feature allows users to accept the invitation for an unlimited amount of time through the password reset functionality. This issue creates vulnerable dependencies starting in version 0.0.1.alpha3 and prior to versions 0.26.9, 0.27.5, and 0.28.0 of the `decidim,` `decidim-admin`, and `decidim-system` gems. When using the password reset functionality, the `devise_invitable` gem always accepts the pending invitation if the user has been invited. The only check done is if the user has been invited but the code does not ensure that the pending invitation is still valid as defined by the `invite_for` expiry period. Decidim sets this configuration to `2.weeks` so this configuration should be respected. The bug is in the `devise_invitable` gem and should be fixed there and the dependency should be upgraded in Decidim once the fix becomes available. `devise_invitable` to version `2.0.9` and above fix this issue. Versions 0.26.9, 0.27.5, and 0.28.0 of the `decidim,` `decidim-admin`, and `decidim-system` gems contain this fix. As a workaround, invitations can be cancelled directly from the database.

Frequently asked questions

What is CVE-2023-48220?
Decidim is a participatory democracy framework. Starting in version 0.4.rc3 and prior to version 2.0.9 of the `devise_invitable` gem, the invites feature allows users to accept the invitation for an unlimited amount of time through the password reset functionality. This issue creates vulnerable dependencies starting in version 0.0.1.alpha3 and prior to versions 0.26.9, 0.27.5, and 0.28.0 of the `decidim,` `decidim-admin`, and `decidim-system` gems. When using the password reset functionality, the `devise_invitable` gem always accepts the pending invitation if the user has been invited. The only check done is if the user has been invited but the code does not ensure that the pending invitation is still valid as defined by the `invite_for` expiry period. Decidim sets this configuration to `2.weeks` so this configuration should be respected. The bug is in the `devise_invitable` gem and should be fixed there and the dependency should be upgraded in Decidim once the fix becomes available. `devise_invitable` to version `2.0.9` and above fix this issue. Versions 0.26.9, 0.27.5, and 0.28.0 of the `decidim,` `decidim-admin`, and `decidim-system` gems contain this fix. As a workaround, invitations can be cancelled directly from the database.
How severe is CVE-2023-48220?
CVE-2023-48220 has a CVSS 3.x base score of 5.7, rated medium severity. It is exploitable over network with high attack complexity, requires high privileges and user interaction. Impact on confidentiality is high, integrity high, and availability none.
Is CVE-2023-48220 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (52nd percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2023-48220?
CVE-2023-48220 primarily affects Decidim. In total, 14 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2023-48220?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2023-48220 have an EU (EUVD) identifier?
Yes. CVE-2023-48220 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-0744.
When was CVE-2023-48220 published?
CVE-2023-48220 was published on 2024-02-20 and last updated on 2026-06-17.

References

Affected products (14)

More vulnerabilities in Decidim

All CVEs affecting Decidim →

Other CWE-672 (Operation on a Resource after Expiration or Release) vulnerabilities

Browse all CWE-672 (Operation on a Resource after Expiration or Release) vulnerabilities →