VDB
EN
MEDIUM 5.4

GHSA-vq6j-hj8w-7v39

Decidim: Forms admin question editor lacks authorization

상세

## Description

A participant can load the demographics questionnaire admin editor and make changes.

## Technical description

The demographics questionnaire editor should require admin access, but the route under `/admin/demographics/questions` renders the editor interface without checking whether the caller is an admin. A normal participant can load the page and see the live update form action, which proves the protected interface is reachable.

Reproduction steps:

Step 1. Sign in as a normal participant: Open `http://localhost:3000/users/sign_in`. Step 2. Request the admin-only editor directly. Open `http://localhost:3000/admin/demographics/questions/edit_questions` in the same browser. Step 3. Add another question:

<img width="1522" height="1174" alt="decidim-questions-01" src="https://github.com/user-attachments/assets/923f85d4-0e2f-4511-a9f3-a92f74dbf1d8" />

Note that access was denied when attempting to see question responses or settings.

### Impact

- Low-privilege users can access questionnaire-admin interfaces. - They can read question-management surfaces that should remain limited to questionnaire managers. ### Patches

See https://github.com/decidim/decidim/pull/16665

### Workarounds

Disable the "decidim-demographics" module

### Reference

OWASP A01:2021 Broken Access Control

### Credits

This issue was discovered in a security audit organized by the [Decidim Association](https://decidim.org) and made by [Radically Open Security](https://www.radicallyopensecurity.com/) against Decidim financed by [NGI](https://ngi.eu/).

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

RubyGems / decidim-demographics
최초 영향 버전: 0.31.0 수정 버전: 0.31.5
수정 bundle update decidim-demographics
RubyGems / decidim-demographics
최초 영향 버전: 0.32.0.rc1 수정 버전: 0.32.0
수정 bundle update decidim-demographics

참고