CVE-2023-48220

Name of the Vulnerable Software and Affected Versions decidim versions 0.0.1.alpha3 through 0.26.8 decidim-admin versions 0.0.1.alpha3 through 0.26.8 decidim-system versions 0.0.1.alpha3 through 0.26.8 devise invitable versions 0.4.rc3 through 2.0.8

Description The invites feature in the devise invitable gem allows users to accept invitations for an unlimited amount of time through the password reset functionality. This issue creates vulnerable dependencies in the decidim, decidim-admin, and decidim-system gems. When using the password reset functionality, the devise invitable gem always accepts the pending invitation if the user has been invited, without ensuring that the pending invitation is still valid as defined by the invite for expiry period. Decidim sets this configuration to 2.weeks, which should be respected.

Recommendations For decidim versions 0.0.1.alpha3 through 0.26.8, update to version 0.26.9 or above. For decidim-admin versions 0.0.1.alpha3 through 0.26.8, update to version 0.26.9 or above. For decidim-system versions 0.0.1.alpha3 through 0.26.8, update to version 0.26.9 or above. For devise invitable versions 0.4.rc3 through 2.0.8, update to version 2.0.9 or above. As a temporary workaround, invitations can be cancelled directly from the database by running the command: Decidim::User.invitation not accepted.update all(invitation token: nil)