Decidim Comments API Unauthenticated Access Vulnerability

A vulnerability in the Decidim participatory democracy framework allows unauthenticated access to all commentable resources via the root level 'commentable' field in the API. This issue affects Decidim versions 0.0.1 prior to 0.30.5 and 0.31.1, all instances that have not secured the '/api' endpoint, which is publicly available by default. The vulnerability arises because the API lacks permission checks, potentially exposing private data in participation spaces, depending on the platform's nature.

Impact

Exploitation of this vulnerability allows unauthorized access to commentable resources, with the potential to expose private data in certain participation spaces.

Remediation

Users can limit access to the '/api' endpoint for only authenticated users by either installing the 'Decidim::Apiauth' module or by adding custom code to restrict API access. Another option is to configure Nginx to allow only specific IP addresses access to the '/api' endpoint.