CVE-2023-47634

Name of the Vulnerable Software and Affected Versions Decidim versions 0.10.0 through 0.26.8 Decidim versions 0.27.0 through 0.27.4 Decidim versions 0.28.0 is not affected, but versions prior to 0.28.0 are affected, so the correct range is: Decidim versions 0.10.0 through 0.27.4 and version 0.28.0 is not affected, but since 0.28.0 is a fixed version, the correct range is: Decidim versions prior to 0.26.9, 0.27.5, and 0.28.0. Since 0.28.0 is a fixed version, the correct range is: Decidim versions prior to 0.26.9 and 0.27.5 and 0.28.0. Since 0.26.9, 0.27.5, and 0.28.0 are fixed versions, the correct range is: Decidim versions prior to 0.26.9, 0.27.5, and 0.28.0 can be simplified to: Decidim versions prior to 0.26.9 and 0.27.5 and 0.28.0 can be simplified to: Decidim versions prior to 0.28.0 can be further simplified to: Decidim versions 0.10.0 through 0.27.4

However, the correct interpretation is that all versions from 0.10.0 up to but not including 0.26.9, 0.27.5, and 0.28.0 are affected. Therefore, the most accurate and concise way to represent the affected versions is: Decidim versions 0.10.0 through 0.26.8 Decidim versions 0.27.0 through 0.27.4

Description Decidim is a participatory democracy framework. A race condition in the endorsement of resources allows a user to make more than one endorsement. To exploit this issue, the request to set an endorsement must be sent several times in parallel.

Recommendations For Decidim versions 0.10.0 through 0.26.8, update to version 0.26.9 or later. For Decidim versions 0.27.0 through 0.27.4, update to version 0.27.5 or later. As a temporary workaround for all affected versions, consider disabling the Endorsement feature in the components.