VDB
KO
MEDIUM 6.0

GHSA-q79h-67vx-m9xg

Decidim: CSV census record endpoints improper authorization

Details

## Description

A participant manager can access and modify the CSV census record admin forms.

## Technical description

The CSV census admin record-management surface under `/admin/csv_census/census_logs` does not enforce admin-only authorization before rendering or mutating `Decidim::Verifications::CsvDatum`.

A participant manager (which can only manage participants) can therefore open the admin forms, create or update census rows, and delete rows directly.

Reproduction steps: 1. Sign in a participant admin and open `http://localhost:3000/admin/csv_census/census_logs/new_record` in the browser. Confirm the create form loads even though the session is not a full admin.

<img width="1541" height="274" alt="decidim-census-01" src="https://github.com/user-attachments/assets/859ee101-746f-4acb-8051-27036689f1b3" />

<img width="1538" height="363" alt="decidim-census-02" src="https://github.com/user-attachments/assets/85bbb004-a999-46dc-856c-fd32b50ced2c" />

Note that normal participant accounts were not able to access the CSV census records which is good.

### Impact Any participant admin can create, alter, or remove CSV census rows, which can corrupt verification data relied on by authorization workflows.

### Patches

See https://github.com/decidim/decidim/pull/16674 and https://github.com/decidim/decidim/pull/16703

### Workarounds

Disable Organization Census verification method

### Reference

OWASP A01:2021 Broken Access Control

### Credits

This issue was discovered in a security audit organized by the [Decidim Association](https://decidim.org) and made by [Radically Open Security](https://www.radicallyopensecurity.com/) against Decidim financed by [NGI](https://ngi.eu/).

Are you affected?

Enter the version of the package you're using.

Affected packages

RubyGems / decidim-verifications
Introduced in: 0 Fixed in: 0.30.9
Fix bundle update decidim-verifications
RubyGems / decidim-verifications
Introduced in: 0.31.0.rc1 Fixed in: 0.31.5
Fix bundle update decidim-verifications
RubyGems / decidim-verifications
Introduced in: 0.32.0.rc1 Fixed in: 0.32.0
Fix bundle update decidim-verifications

References