CVE-2023-36465: 
Ruby vulnerability analysis and mitigation

CVE-2023-36465 affects Decidim, a participatory democracy framework written in Ruby on Rails, originally developed for the Barcelona City government. The vulnerability was discovered in the templates module, which failed to enforce proper access controls. The issue was disclosed and patched in versions 0.26.8 and 0.27.4, released on July 27, 2023 (GitHub Release v0.26.8, GitHub Release v0.27.4).

The vulnerability stems from incorrect permission assignment in the templates module of Decidim. The CVSS v3.1 base score is rated as Critical with a score of 9.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L). The vulnerability is classified under CWE-732 (Incorrect Permission Assignment for Critical Resource) and CWE-284 (Improper Access Control) (NVD Database).

The vulnerability allows any logged-in user to access functionality in the administration panel that should be restricted. An attacker could exploit this vulnerability to modify, create, or delete templates of surveys, potentially compromising the integrity of the system's survey data (GitHub Advisory).

The vulnerability has been patched in Decidim versions 0.26.8 and 0.27.4. Organizations should upgrade to these or newer versions to address the security issue. The upgrade process requires updating the Gemfile, running bundle update decidim, and executing the necessary database migrations (GitHub Release v0.26.8, GitHub Release v0.27.4).