CVE-2023-34090

Name of the Vulnerable Software and Affected Versions Decidim versions prior to 0.27.3

Description Decidim, a participatory democracy framework written in Ruby on Rails, uses a third-party library named Ransack for filtering certain database collections. By default, this library allows filtering on all data attributes and associations, enabling an unauthenticated remote attacker to exfiltrate non-public data from the underlying database of a Decidim instance. This issue may lead to Sensitive Data Disclosure.

Recommendations For Decidim versions prior to 0.27.3, update to version 0.27.3 to resolve the issue. As a temporary workaround, consider disabling or unpublishing all meetings components from the application until the update is applied.