CVE-2023-47635: 
Ruby vulnerability analysis and mitigation

CVE-2023-47635 affects Decidim, a participatory democracy framework, starting from version 0.23.0 and prior to versions 0.27.5 and 0.28.0. The vulnerability involves a disabled CSRF authenticity token check for the questionnaire templates preview functionality. The issue was discovered and disclosed in February 2024 (NVD, GitHub Advisory).

The vulnerability stems from a disabled CSRF (Cross-Site Request Forgery) authenticity token check in the questionnaire templates preview functionality. The issue was introduced in the controller file 'decidim-templates/app/controllers/decidim/templates/admin/questionnaire_templates_controller.rb' with the line 'skip_before_action :verify_authenticity_token, only: :preview'. The vulnerability has been assigned a CVSS v3.1 base score of 4.5 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N) (GitHub Advisory).

While the vulnerability does not allow modification of resources, it could potentially enable attackers to access information not intended for public viewing. However, the security impact is mitigated by the requirement that an attacker would need access to the session cookie to exploit the vulnerability (GitHub Advisory).

The vulnerability has been fixed in versions 0.27.5 and 0.28.0. As a temporary workaround, organizations can either disable the templates functionality entirely or remove all available templates. The permanent fix was implemented through PR #11743 (GitHub Advisory).