CVE-2023-48220
CVE-2023-48220 is a medium-severity vulnerability in Decidim with a CVSS 3.x base score of 5.7. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-672.
Key facts
- Severity: Medium (CVSS 3.x base score 5.7)
- EPSS exploit prediction: 1% (52nd percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2024-0744
- Weakness: CWE-672
- Affected product: Decidim
- Published:
- Last modified:
Description
Decidim is a participatory democracy framework. Starting in version 0.4.rc3 and prior to version 2.0.9 of the `devise_invitable` gem, the invites feature allows users to accept the invitation for an unlimited amount of time through the password reset functionality. This issue creates vulnerable dependencies starting in version 0.0.1.alpha3 and prior to versions 0.26.9, 0.27.5, and 0.28.0 of the `decidim,` `decidim-admin`, and `decidim-system` gems. When using the password reset functionality, the `devise_invitable` gem always accepts the pending invitation if the user has been invited. The only check done is if the user has been invited but the code does not ensure that the pending invitation is still valid as defined by the `invite_for` expiry period. Decidim sets this configuration to `2.weeks` so this configuration should be respected. The bug is in the `devise_invitable` gem and should be fixed there and the dependency should be upgraded in Decidim once the fix becomes available. `devise_invitable` to version `2.0.9` and above fix this issue. Versions 0.26.9, 0.27.5, and 0.28.0 of the `decidim,` `decidim-admin`, and `decidim-system` gems contain this fix. As a workaround, invitations can be cancelled directly from the database.
Frequently asked questions
- What is CVE-2023-48220?
- Decidim is a participatory democracy framework. Starting in version 0.4.rc3 and prior to version 2.0.9 of the `devise_invitable` gem, the invites feature allows users to accept the invitation for an unlimited amount of time through the password reset functionality. This issue creates vulnerable dependencies starting in version 0.0.1.alpha3 and prior to versions 0.26.9, 0.27.5, and 0.28.0 of the `decidim,` `decidim-admin`, and `decidim-system` gems. When using the password reset functionality, the `devise_invitable` gem always accepts the pending invitation if the user has been invited. The only check done is if the user has been invited but the code does not ensure that the pending invitation is still valid as defined by the `invite_for` expiry period. Decidim sets this configuration to `2.weeks` so this configuration should be respected. The bug is in the `devise_invitable` gem and should be fixed there and the dependency should be upgraded in Decidim once the fix becomes available. `devise_invitable` to version `2.0.9` and above fix this issue. Versions 0.26.9, 0.27.5, and 0.28.0 of the `decidim,` `decidim-admin`, and `decidim-system` gems contain this fix. As a workaround, invitations can be cancelled directly from the database.
- How severe is CVE-2023-48220?
- CVE-2023-48220 has a CVSS 3.x base score of 5.7, rated medium severity. It is exploitable over network with high attack complexity, requires high privileges and user interaction. Impact on confidentiality is high, integrity high, and availability none.
- Is CVE-2023-48220 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (52nd percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2023-48220?
- CVE-2023-48220 primarily affects Decidim. In total, 14 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2023-48220?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2023-48220 have an EU (EUVD) identifier?
- Yes. CVE-2023-48220 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-0744.
- When was CVE-2023-48220 published?
- CVE-2023-48220 was published on 2024-02-20 and last updated on 2026-06-17.
References
- https://github.com/decidim/decidim/blob/d2d390578050772d1bdb6d731395f1afc39dcbfc/decidim-core/config/initializers/devise.rb#L134
- https://github.com/decidim/decidim/commit/073e60e2e4224dd81815a784002ebba30f2ebb34
- https://github.com/decidim/decidim/commit/b12800717a689c295a9ea680a38ca9f823d2c454
- https://github.com/decidim/decidim/releases/tag/v0.26.9
- https://github.com/decidim/decidim/releases/tag/v0.27.5
- https://github.com/decidim/decidim/releases/tag/v0.28.0
- https://github.com/decidim/decidim/security/advisories/GHSA-w3q8-m492-4pwp
- https://github.com/scambra/devise_invitable/blob/41f58970ff76fb64382a9b9ea1bd530f7c3adab2/lib/devise_invitable/models.rb#L198
- https://github.com/scambra/devise_invitable/commit/94d859c7de0829bf63f679ae5dd3cab2b866a098
Affected products (14)
- cpe:2.3:a:decidim:decidim:*:*:*:*:*:ruby:*:*
- cpe:2.3:a:decidim:decidim:0.0.1:-:*:*:*:ruby:*:*
- cpe:2.3:a:decidim:decidim:0.0.1:alpha3:*:*:*:ruby:*:*
- cpe:2.3:a:decidim:decidim:0.0.1:alpha4:*:*:*:ruby:*:*
- cpe:2.3:a:decidim:decidim:0.0.1:alpha5:*:*:*:ruby:*:*
- cpe:2.3:a:decidim:decidim:0.0.1:alpha6:*:*:*:ruby:*:*
- cpe:2.3:a:decidim:decidim:0.0.1:alpha7:*:*:*:ruby:*:*
- cpe:2.3:a:decidim:decidim:0.0.1:alpha8:*:*:*:ruby:*:*
- cpe:2.3:a:decidim:decidim:0.0.1:alpha9:*:*:*:ruby:*:*
- cpe:2.3:a:scambra:devise_invitable:*:*:*:*:*:ruby:*:*
- cpe:2.3:a:scambra:devise_invitable:0.4.0:-:*:*:*:ruby:*:*
- cpe:2.3:a:scambra:devise_invitable:0.4.0:rc3:*:*:*:ruby:*:*
- cpe:2.3:a:scambra:devise_invitable:0.4.0:rc4:*:*:*:ruby:*:*
- cpe:2.3:a:scambra:devise_invitable:0.4.0:rc5:*:*:*:ruby:*:*
More vulnerabilities in Decidim
- CVE-2023-36465 — Critical (CVSS 9.1): Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City…
- CVE-2026-23891 — High (CVSS 8.7): Decidim is a participatory democracy framework. In versions below 0.30.5 and 0.31.0.rc1 through 0.31.0, a stored code…
- CVE-2023-34089 — High (CVSS 8.1): Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City…
- CVE-2023-32693 — High (CVSS 8.1): Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City…
- CVE-2024-45594 — High (CVSS 7.7): Decidim is a participatory democracy framework. The meeting embeds feature used in the online or hybrid meetings is…
- CVE-2026-40869 — High (CVSS 7.5): Decidim is a participatory democracy framework. Starting in version 0.19.0 and prior to versions 0.30.5 and 0.31.1, a…
Other CWE-672 (Operation on a Resource after Expiration or Release) vulnerabilities
- CVE-2023-41094 — Critical (CVSS 10.0): TouchLink packets processed after timeout or out of range due to Operation on a Resource after Expiration and Missing…
- CVE-2020-24030 — Critical (CVSS 9.8): ForLogic Qualiex v1 and v3 has weak token expiration. This allows remote unauthenticated privilege escalation and…
- CVE-2020-12043 — Critical (CVSS 9.8): The Baxter Spectrum WBM (v17, v20D29, v20D30, v20D31, and v22D24) when configured for wireless networking the FTP…
- CVE-2019-17638 — Critical (CVSS 9.4): In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an…
- CVE-2013-10075 — Critical (CVSS 9.1): Apache::Session versions through 1.94 for Perl re-creates deleted sessions. The session stores…
- CVE-2022-22755 — High (CVSS 8.8): By using XSL Transforms, a malicious webserver could have served a user an XSL document that would continue to execute…
Browse all CWE-672 (Operation on a Resource after Expiration or Release) vulnerabilities →