CVE-2022-48365

Name of the Vulnerable Software and Affected Versions eZ Platform Ibexa Kernel versions prior to 1.3.26

Description An issue was discovered where the Company admin role gives excessive privileges, allowing users with this role to assign any role to any user, regardless of subtree limitations. This issue affects users who have the role/assign policy, typically given to administrators, but it is recommended to verify who has this policy in the installation.

Recommendations For versions prior to 1.3.26, update to version 1.3.26 or later to ensure that subtree limitations work as intended and to prevent excessive privileges for the Company admin role.