CVE-2023-48220: CWE-672: Operation on a Resource after Expiration or Release in decidim decidim
Decidim is a participatory democracy framework. Starting in version 0.4.rc3 and prior to version 2.0.9 of the `devise_invitable` gem, the invites feature allows users to accept the invitation for an unlimited amount of time through the password reset functionality. This issue creates vulnerable dependencies starting in version 0.0.1.alpha3 and prior to versions 0.26.9, 0.27.5, and 0.28.0 of the `decidim,` `decidim-admin`, and `decidim-system` gems. When using the password reset functionality, the `devise_invitable` gem always accepts the pending invitation if the user has been invited. The only check done is if the user has been invited but the code does not ensure that the pending invitation is still valid as defined by the `invite_for` expiry period. Decidim sets this configuration to `2.weeks` so this configuration should be respected. The bug is in the `devise_invitable` gem and should be fixed there and the dependency should be upgraded in Decidim once the fix becomes available. `devise_invitable` to version `2.0.9` and above fix this issue. Versions 0.26.9, 0.27.5, and 0.28.0 of the `decidim,` `decidim-admin`, and `decidim-system` gems contain this fix. As a workaround, invitations can be cancelled directly from the database.
AI Analysis
Technical Summary
CVE-2023-48220 is a vulnerability classified under CWE-672 (Operation on a Resource after Expiration or Release) affecting the Decidim participatory democracy framework and its dependencies, specifically the devise_invitable Ruby gem. Decidim uses devise_invitable to manage user invitations, allowing invited users to accept invitations via a password reset mechanism. The vulnerability arises because devise_invitable does not properly enforce the expiration period ('invite_for') on pending invitations. While Decidim configures this expiration to two weeks, the vulnerable versions of devise_invitable (prior to 2.0.9) accept invitations indefinitely if the user has a pending invite, regardless of whether the invitation has expired. This flaw exists in Decidim versions from 0.0.1.alpha3 up to but not including 0.26.9, 0.27.0 up to but not including 0.27.5, and 0.4.rc3 up to but not including 2.0.9, including the decidim-admin and decidim-system gems within these ranges. The root cause is that the code checks only for the presence of a pending invitation but does not verify its validity period before accepting it during password reset. This can lead to unauthorized acceptance of expired invitations, potentially allowing attackers or unauthorized users to gain access to user accounts or system functionalities intended only for invited users. The issue is fixed in devise_invitable version 2.0.9 and later, and Decidim versions 0.26.9, 0.27.5, and 0.28.0 incorporate this fix. As a temporary mitigation, administrators can cancel outstanding invitations directly in the database to prevent misuse. No known exploits are currently reported in the wild, but the vulnerability poses a risk due to improper invitation expiration enforcement.
Potential Impact
For European organizations using Decidim, particularly local governments, municipalities, and civic engagement platforms, this vulnerability could undermine the integrity of participatory democratic processes by allowing unauthorized users to accept expired invitations and gain access to restricted areas or functionalities. This could lead to unauthorized data access, manipulation of participatory inputs, or disruption of democratic workflows. Confidentiality is at risk if sensitive user or participatory data is exposed. Integrity could be compromised if unauthorized users influence decision-making processes or alter records. Availability impact is limited but possible if unauthorized access leads to misuse or administrative overhead. Given Decidim's role in democratic engagement, exploitation could erode public trust and have reputational consequences. The vulnerability's exploitation does not require user interaction beyond password reset and does not require authentication, increasing risk. However, the scope is limited to systems using affected Decidim and devise_invitable versions. Organizations relying on Decidim for citizen participation should prioritize patching to maintain secure and trustworthy democratic platforms.
Mitigation Recommendations
1. Upgrade the devise_invitable gem to version 2.0.9 or later as soon as possible to ensure proper enforcement of invitation expiration. 2. Upgrade Decidim, decidim-admin, and decidim-system gems to versions 0.26.9, 0.27.5, or 0.28.0 or later, which include the fix. 3. As an immediate workaround, audit and cancel all pending invitations directly in the database to prevent acceptance of expired invites. 4. Implement monitoring and alerting on invitation acceptance events, especially those occurring outside expected timeframes. 5. Review and tighten password reset and invitation workflows to include additional validation checks, such as logging invitation acceptance timestamps and cross-verifying with expiration policies. 6. Conduct user access reviews to identify any accounts created or activated via expired invitations and revoke unauthorized access. 7. Educate administrators on the importance of timely invitation management and patching. 8. Consider implementing multi-factor authentication (MFA) for user accounts to reduce risk from unauthorized access even if invitation misuse occurs.
Affected Countries
Spain, France, Germany, Italy, Belgium, Netherlands, Sweden, Finland, Denmark, Norway
CVE-2023-48220: CWE-672: Operation on a Resource after Expiration or Release in decidim decidim
Description
Decidim is a participatory democracy framework. Starting in version 0.4.rc3 and prior to version 2.0.9 of the `devise_invitable` gem, the invites feature allows users to accept the invitation for an unlimited amount of time through the password reset functionality. This issue creates vulnerable dependencies starting in version 0.0.1.alpha3 and prior to versions 0.26.9, 0.27.5, and 0.28.0 of the `decidim,` `decidim-admin`, and `decidim-system` gems. When using the password reset functionality, the `devise_invitable` gem always accepts the pending invitation if the user has been invited. The only check done is if the user has been invited but the code does not ensure that the pending invitation is still valid as defined by the `invite_for` expiry period. Decidim sets this configuration to `2.weeks` so this configuration should be respected. The bug is in the `devise_invitable` gem and should be fixed there and the dependency should be upgraded in Decidim once the fix becomes available. `devise_invitable` to version `2.0.9` and above fix this issue. Versions 0.26.9, 0.27.5, and 0.28.0 of the `decidim,` `decidim-admin`, and `decidim-system` gems contain this fix. As a workaround, invitations can be cancelled directly from the database.
AI-Powered Analysis
Technical Analysis
CVE-2023-48220 is a vulnerability classified under CWE-672 (Operation on a Resource after Expiration or Release) affecting the Decidim participatory democracy framework and its dependencies, specifically the devise_invitable Ruby gem. Decidim uses devise_invitable to manage user invitations, allowing invited users to accept invitations via a password reset mechanism. The vulnerability arises because devise_invitable does not properly enforce the expiration period ('invite_for') on pending invitations. While Decidim configures this expiration to two weeks, the vulnerable versions of devise_invitable (prior to 2.0.9) accept invitations indefinitely if the user has a pending invite, regardless of whether the invitation has expired. This flaw exists in Decidim versions from 0.0.1.alpha3 up to but not including 0.26.9, 0.27.0 up to but not including 0.27.5, and 0.4.rc3 up to but not including 2.0.9, including the decidim-admin and decidim-system gems within these ranges. The root cause is that the code checks only for the presence of a pending invitation but does not verify its validity period before accepting it during password reset. This can lead to unauthorized acceptance of expired invitations, potentially allowing attackers or unauthorized users to gain access to user accounts or system functionalities intended only for invited users. The issue is fixed in devise_invitable version 2.0.9 and later, and Decidim versions 0.26.9, 0.27.5, and 0.28.0 incorporate this fix. As a temporary mitigation, administrators can cancel outstanding invitations directly in the database to prevent misuse. No known exploits are currently reported in the wild, but the vulnerability poses a risk due to improper invitation expiration enforcement.
Potential Impact
For European organizations using Decidim, particularly local governments, municipalities, and civic engagement platforms, this vulnerability could undermine the integrity of participatory democratic processes by allowing unauthorized users to accept expired invitations and gain access to restricted areas or functionalities. This could lead to unauthorized data access, manipulation of participatory inputs, or disruption of democratic workflows. Confidentiality is at risk if sensitive user or participatory data is exposed. Integrity could be compromised if unauthorized users influence decision-making processes or alter records. Availability impact is limited but possible if unauthorized access leads to misuse or administrative overhead. Given Decidim's role in democratic engagement, exploitation could erode public trust and have reputational consequences. The vulnerability's exploitation does not require user interaction beyond password reset and does not require authentication, increasing risk. However, the scope is limited to systems using affected Decidim and devise_invitable versions. Organizations relying on Decidim for citizen participation should prioritize patching to maintain secure and trustworthy democratic platforms.
Mitigation Recommendations
1. Upgrade the devise_invitable gem to version 2.0.9 or later as soon as possible to ensure proper enforcement of invitation expiration. 2. Upgrade Decidim, decidim-admin, and decidim-system gems to versions 0.26.9, 0.27.5, or 0.28.0 or later, which include the fix. 3. As an immediate workaround, audit and cancel all pending invitations directly in the database to prevent acceptance of expired invites. 4. Implement monitoring and alerting on invitation acceptance events, especially those occurring outside expected timeframes. 5. Review and tighten password reset and invitation workflows to include additional validation checks, such as logging invitation acceptance timestamps and cross-verifying with expiration policies. 6. Conduct user access reviews to identify any accounts created or activated via expired invitations and revoke unauthorized access. 7. Educate administrators on the importance of timely invitation management and patching. 8. Consider implementing multi-factor authentication (MFA) for user accounts to reduce risk from unauthorized access even if invitation misuse occurs.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2023-11-13T13:25:18.480Z
- Cisa Enriched
- true
Threat ID: 682d9840c4522896dcbf1040
Added to database: 5/21/2025, 9:09:20 AM
Last enriched: 6/24/2025, 5:24:57 AM
Last updated: 7/28/2025, 1:41:02 PM
Views: 12
Related Threats
CVE-2025-8925: SQL Injection in itsourcecode Sports Management System
MediumCVE-2025-8924: SQL Injection in Campcodes Online Water Billing System
MediumCVE-2025-43989: n/a
UnknownCVE-2025-8923: SQL Injection in code-projects Job Diary
MediumCVE-2025-8922: SQL Injection in code-projects Job Diary
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.