Decidim Amendment Acceptance Vulnerability Allows Unauthorized Proposal Coauthorship

A vulnerability in Decidim's amendment handling allows any registered and authenticated user to accept or reject amendments on proposals, impacting users who have enabled the amendments feature. This issue arises because the platform grants coauthorship to users who amend proposals, thereby falsely attributing authorship to those who accept amendments. The vulnerability is present in Decidim versions 0.19.0 prior to 0.30.5 and 0.31.1, with the exception of 0.31.3, which is not vulnerable. The issue can be exploited by simply accepting or rejecting amendments on affected proposals.

Impact

Exploiting this vulnerability allows users to manipulate the amendment acceptance process, potentially leading to unauthorized changes in proposal authorship and coauthorship credits.

Reproduction

To reproduce this vulnerability, log in as a registered user on a Decidim instance running a vulnerable version. Navigate to a proposal with the amendments feature enabled. Without any special permissions, accept or reject an amendment. The action will be processed as if it were done by the proposal's original author, due to the coauthorship feature.

Remediation

Users can update to Decidim versions 0.30.5 or 0.31.1, where this vulnerability has been fixed. Alternatively, the amendments reactions feature can be disabled for the affected component, such as proposals.