Headline
CVE-2023-34089: Release v0.27.3 · decidim/decidim
Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The processes filter feature is susceptible to Cross-site scripting. This allows a remote attacker to execute JavaScript code in the context of a currently logged-in user. An attacker could use this vulnerability to make other users endorse or support proposals they have no intention of supporting or endorsing. The problem was patched in version 0.27.3 and 0.26.6.
Security fixes
This release addresses several security issues, including the following:
- CVE-2023-32693
- CVE-2023-34089
- CVE-2023-34090
The details regarding the security vulnerability will be published on July 11th 2023, which is two months after the release date of this version. For more information, please refer to our Security Policy.
We highly recommend updating to this version as soon as possible to ensure the security of your system.
Upgrade notes
As usual, we recommend that you have a full backup, of the database, application code and static files.
To update, follow these steps:
- Update your Gemfile:
gem "decidim", “0.27.3” gem "decidim-dev", “0.27.3”
- Run these commands to upgrade and make sure you get all the latest migrations:
bundle update decidim bin/rails decidim:upgrade bin/rails db:migrate
And then follow the steps and commands detailed in these notes.
Changelog****Added
Nothing.
Changed
- decidim-core: Backport ‘Improve the link handling’ to v0.27 #10735
Fixed
- decidim-core: Backport ‘Fix sass syntax errors’ to v0.27 #10445
- decidim-participatory processes: Backport ‘Fix: Ransack returns results for multiple organizations’ to v0.27 #10447
- decidim-forms: Backport ‘Fix survey conditional display’ to v0.27 #10448
- decidim-core: Backport ‘Fix pipeline asset router bug regarding for manifests containing the host’ to v0.27 #10449
- decidim-budgets, decidim-core, decidim-elections, decidim-proposals: Backport ‘Fix updating budget projects or other records containing attachments’ to v0.27 #10451
- decidim-budgets, decidim-core, decidim-elections, decidim-proposals: Backport ‘Fix styling bug with the remove/close buttons for attachments’ to v0.27 #10452
- decidim-admin: Backport ‘Fix deleting all content from help section triggers error’ to v0.27 #10453
- decidim-admin: Backport ‘Fix deprecation warning in the html5sortable NPM package’ to v0.27 #10455
- decidim-proposals: Backport ‘Fix participatory texts sections required field indicators’ to v0.27 #10527
- decidim-initiatives: Backport ‘Remove email from initiative’s print page’ to v0.27 #10535
- decidim-core, decidim-participatory processes: Backport ‘Fix destroying scope types that have been associated with processes’ to v0.27 #10530
- decidim-meetings: Backport ‘Fix meeting form for admin to update registrations_enabled field’ to v0.27 #10531
- decidim-admin, decidim-core, decidim-system: Backport ‘Remove actions from admin and blocked users’ to v0.27 #10536
- decidim-core: Backport ‘Make buttons respect the organizations’ primary color’ to v0.27 #10546
- decidim-proposals: Backport ‘Export proposal body without HTML tags’ to v0.27 #10539
- decidim-proposals: Backport ‘Fix: Set required to proposal limit field in Proposal component’ to v0.27 #10549
- decidim-core: Backport ‘Fix promoted admin password change right after registration’ to v0.27 #10540
- decidim-admin, decidim-assemblies, decidim-conferences, decidim-core, decidim-elections, decidim-initiatives, decidim-participatory processes, decidim-proposals, decidim-system: Backport ‘Fix dynamic upload file field required indicator + make option naming consistent’ to v0.27 #10541
- decidim-debates, decidim-meetings, decidim-proposals: Backport ‘Fix iframes stripped from admin entered proposals, meetings and debates’ to v0.27 #10558
- decidim-forms: FIx sorting question choice validations #10227
- Fix missing documentation link #10621
- decidim-comments: Backport ‘Fix for exporting deleted and hidden comments’ to v0.27 #10658
- decidim-proposals: Backport ‘Fix for exporting hidden moderated proposals’ to v0.27 #10661
- decidim-proposals: Backport ‘Fix flaky collaborative drafts specs’ to v0.27 #10667
- decidim-admin: Backport ‘Change I18n captions on moderation module’ to v0.27 #10662
- decidim-proposals: Backport ‘Fix empty proposals component configuration limits’ to v0.27 #10666
- decidim-admin, decidim-core, decidim-elections, decidim-meetings: Backport ‘Fix Redundant notifications when a component is (re)published’ to v0.27 #10736
- decidim-core, decidim-debates, decidim-meetings, decidim-proposals: Backport ‘User role is defined for digest notifications to scope translations correctly’ to v0.27 #10738
- decidim-initiatives: Backport ‘Fix initiatives display when not initialized’ to v0.27 #10742
- decidim-admin, decidim-assemblies, decidim-blogs, decidim-budgets, decidim-conferences, decidim-consultations, decidim-core, decidim-elections, decidim-forms, decidim-initiatives, decidim-meetings, decidim-pages, decidim-proposals, decidim-sortitions: Backport ‘Fix editor toolbar’ to v0.27 #10743
- decidim-participatory processes: Backport ‘Fix Empty participatory process group is created when importing a PP …’ to v0.27 #10732
- decidim-assemblies, decidim-blogs, decidim-budgets, decidim-consultations, decidim-debates, decidim-elections, decidim-forms, decidim-pages, decidim-participatory processes, decidim-proposals, decidim-sortitions: Backport ‘Fix Video embeds are not shown in short_description field’ to v0.27 #10745
- decidim-consultations: Backport ‘Add missing translations in consultations’ to v0.27 #10790
- decidim-budgets, decidim-proposals: Backport ‘Supports no longer visible for linked proposals if supports are disabled’ to v0.27 #10777
- decidim-participatory processes: Backport ‘Add metrics, statistics and process type to the participatory process importer’ to v0.27 #10770
- Backport ‘Fix menu spec after #9928’ to v0.27 #10769
- decidim-meetings: Backport ‘Fix meetings calendar filtering’ to v0.27 #10772
- decidim-initiatives: Backport ‘Fix initiative creation missing form fields’ to v0.27 #10785
- decidim-initiatives: Backport ‘Fix edge case in initiative creation’ to v0.27 #10784
- decidim-proposals: Backport ‘Fix notifications for the proposal answers importer’ to v0.27 #10787
- decidim-initiatives: Backport ‘Fix edit form in intitiatives’ to v0.27 #10781
- decidim-comments: Backport ‘Fix missing hide and show comments by threads’ to v0.27 #10779
- decidim-core: Backport ‘Fix ImageMagick errors when trying to identify image dimensions’ to v0.27 #10556
- decidim-participatory processes: Backport ‘Fix issues with unexpected date filter params for the process listing’ to v0.27 #10807
- decidim-initiatives: Backport ‘Fix initiative creation without fallback hash attribute’ to v0.27 #10817
- decidim-core: Backport ‘Fix: Inconsistent datetime distance_in_words translations’ to 0.27 #10793
- decidim-core: Backport ‘Refactor attachment title’ to v0.27 #10664
- decidim-budgets: Backport ‘Fix budget summary mail when a scope is defined and enabled’ to v0.27 #10838
- decidim-core, decidim-proposals: Backport ‘Fix File attachments in proposals’ to v0.27 #10827
- decidim-initiatives: Backport ‘Change the participant initiatives editor toolbars type’ to v0.27 #10844
Removed
Nothing.
Developer improvements
Nothing.
Internal
- Backport ‘Switch to the official Codecov action for CI’ to v0.27 #10462
- decidim-proposals: Backport ‘Fix flaky collaborative drafts specs’ to v0.27 #10667
- Backport ‘Fix menu spec after #9928’ to v0.27 #10769
- Backport ‘Remove parallel spec from the core system specs’ to v0.27 #10843
Previous versions
Please check release/0.26-stable for previous changes.
Related news
### Impact The external link feature is susceptible to Cross-site scripting. This allows a remote attacker to execute JavaScript code in the context of a currently logged-in user. An attacker could use this vulnerability to make other users endorse or support proposals they have no intention of supporting or endorsing. ### Patches The problem was patched in [v0.27.3](https://github.com/decidim/decidim/releases/tag/v0.27.3) and [v0.26.6](https://github.com/decidim/decidim/releases/tag/v0.26.6)
### Impact The processes filter feature is susceptible to Cross-site scripting. This allows a remote attacker to execute JavaScript code in the context of a currently logged-in user. An attacker could use this vulnerability to make other users endorse or support proposals they have no intention of supporting or endorsing. ### Patches The problem was patched in [v0.27.3](https://github.com/decidim/decidim/releases/tag/v0.27.3) and [v0.26.6](https://github.com/decidim/decidim/releases/tag/v0.26.6)
Note: added the actual report as a [comment](https://github.com/decidim/decidim/security/advisories/GHSA-jm79-9pm4-vrw9#advisory-comment-81110). ### Summary Decidim, a platform for digital citizen participation, uses a third-party library named Ransack for filtering certain database collections (e.g., public meetings). By default, this library allows filtering on all data attributes and associations. This allows an unauthenticated remote attacker to exfiltrate non-public data from the underlying database of a Decidim instance (e.g., exfiltrating data from the user table). ### Impact This issue may lead to Sensitive Data Disclosure. ### Patches The problem was patched in [v0.27.3](https://github.com/decidim/decidim/releases/tag/v0.27.3). ### Workarounds Disable or unpublish all meetings components from your application.
Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. Decidim uses a third-party library named Ransack for filtering certain database collections (e.g., public meetings). By default, this library allows filtering on all data attributes and associations. This allows an unauthenticated remote attacker to exfiltrate non-public data from the underlying database of a Decidim instance (e.g., exfiltrating data from the user table). This issue may lead to Sensitive Data Disclosure. The problem was patched in version 0.27.3.