Decidim: CSV census record endpoints improper authorization
Description
A participant manager can access and modify the CSV census record admin forms.
Technical description
The CSV census admin record-management surface under /admin/csv_census/census_logs does not enforce admin-only authorization before rendering or mutating Decidim::Verifications::CsvDatum.
A participant manager (which can only manage participants) can therefore open the admin forms, create or update census rows, and delete rows directly.
Reproduction steps:
- Sign in a participant admin and open
http://localhost:3000/admin/csv_census/census_logs/new_recordin the browser. Confirm the create form loads even though the session is not a full admin.
Note that normal participant accounts were not able to access the CSV census records which is good.
Impact
Any participant admin can create, alter, or remove CSV census rows, which can corrupt verification data relied on by authorization workflows.Patches
See https://github.com/decidim/decidim/pull/16674 and https://github.com/decidim/decidim/pull/16703
Workarounds
Disable Organization Census verification method
Reference
OWASP A01:2021 Broken Access Control
Credits
This issue was discovered in a security audit organized by the Decidim Association and made by Radically Open Security against Decidim financed by NGI.