CVE-2023-47635 in Decidim
Summary
by MITRE • 02/20/2024
Decidim is a participatory democracy framework. Starting in version 0.23.0 and prior to versions 0.27.5 and 0.28.0, the CSRF authenticity token check is disabled for the questionnaire templates preview. The issue does not imply a serious security thread as you need to have access also to the session cookie in order to see this resource. This URL does not allow modifying the resource but it may allow attackers to gain access to information which was not meant to be public. The issue is fixed in version 0.27.5 and 0.28.0. As a workaround, disable the templates functionality or remove all available templates.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/19/2025
The vulnerability identified as CVE-2023-47635 affects Decidim, a participatory democracy framework designed to facilitate democratic processes through digital platforms. This security flaw resides in the framework's implementation of Cross-Site Request Forgery (CSRF) protection mechanisms, specifically within the questionnaire templates preview functionality. The issue manifests in versions 0.23.0 through 0.27.4 and 0.28.0, creating a potential information disclosure risk that could compromise the confidentiality of sensitive data within the system.
The technical flaw involves the deliberate disabling of CSRF authenticity token validation for questionnaire template previews, a security measure that should normally prevent unauthorized requests from being processed. This vulnerability falls under the CWE-352 category of Cross-Site Request Forgery, where the framework fails to properly validate user sessions before allowing access to preview functionality. The flaw represents a weakness in the framework's authorization controls, where the system does not adequately verify that requests originate from legitimate authenticated users.
The operational impact of this vulnerability extends beyond simple information disclosure, as it creates potential for unauthorized access to preview content that may contain sensitive information about proposed initiatives, user submissions, or other confidential data within the participatory democracy platform. While the specific URL does not permit modification of resources, the exposure of preview content could reveal strategic information about upcoming proposals, user engagement patterns, or other sensitive details that were not intended for public viewing. This represents a significant concern for democratic platforms where information integrity and user privacy are paramount.
The vulnerability is addressed through updates in versions 0.27.5 and 0.28.0, which re-enable proper CSRF token validation for the affected functionality. Organizations using Decidim should prioritize upgrading to these versions to remediate the issue. As a temporary workaround, administrators can disable the templates functionality entirely or remove all available templates from the system to prevent exploitation. This vulnerability aligns with ATT&CK technique T1566.002 which involves credential access through web application vulnerabilities, and represents a critical concern for organizations implementing participatory democracy platforms where the integrity of information flow directly impacts democratic processes and user trust in the system's security measures.