CVE-2023-48220
unknown
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
โ
Description
Possibility to circumvent the invitation token expiry period
Predictions
Exploit likelihood
30%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| RubyGems | decidim-admin | !< 0.0.1.alpha3||<~> 0.26.9 | ~> 0.26.9 |
| RubyGems | decidim-system | !< 0.0.1.alpha3||<~> 0.26.9 | ~> 0.26.9 |
| RubyGems | decidim | !< 0.0.1.alpha3||<~> 0.26.9 | ~> 0.26.9 |
| RubyGems | devise_invitable | !< 0.4.rc3||<>= 2.0.9 | >= 2.0.9 |
| RubyGems | decidim | >=0.0.1.alpha3,<0.26.9 | 0.26.9 |
| RubyGems | decidim-admin | >=0.0.1.alpha3,<0.26.9 | 0.26.9 |
| RubyGems | decidim-system | >=0.0.1.alpha3,<0.26.9 | 0.26.9 |
| RubyGems | devise_invitable | >=0.4.rc3,<2.0.9 | 2.0.9 |
| RubyGems | decidim | >=0.27.0,<0.27.5 | 0.27.5 |
| RubyGems | decidim-admin | >=0.27.0,<0.27.5 | 0.27.5 |
| RubyGems | decidim-system | >=0.27.0,<0.27.5 | 0.27.5 |
References
- https://github.com/decidim/decidim/security/advisories/GHSA-w3q8-m492-4pwp
- https://nvd.nist.gov/vuln/detail/CVE-2023-48220
- https://github.com/decidim/decidim/commit/073e60e2e4224dd81815a784002ebba30f2ebb34
- https://github.com/decidim/decidim/commit/b12800717a689c295a9ea680a38ca9f823d2c454
- https://github.com/scambra/devise_invitable/commit/94d859c7de0829bf63f679ae5dd3cab2b866a098
- https://github.com/decidim/decidim
- https://github.com/decidim/decidim/blob/d2d390578050772d1bdb6d731395f1afc39dcbfc/decidim-core/config/initializers/devise.rb#L134
- https://github.com/decidim/decidim/releases/tag/v0.26.9
- https://github.com/decidim/decidim/releases/tag/v0.27.5
- https://github.com/decidim/decidim/releases/tag/v0.28.0
- https://github.com/scambra/devise_invitable/blob/41f58970ff76fb64382a9b9ea1bd530f7c3adab2/lib/devise_invitable/models.rb#L198
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.