PT-2023-15742 · Ibexa · Ez Publish Ibexa Kernel

Patrick Allaert

Publicado

2022-04-29

Atualizado

2026-03-16

CVE-2022-48367

CVSS v3.1

9.8

Crítica

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions eZ Publish Ibexa Kernel versions prior to 7.5.28

Description An issue was discovered where access control based on object state is mishandled. This issue affects a policy used in roles to limit access to content based on specific object state values. Due to a flawed update, these limitations were ineffective, granting access to content regardless of the object state. The severity of this issue depends on the frontend design, as knowing the URL to the content may or may not be required to access it.

Recommendations For versions prior to 7.5.28, please apply the fix as soon as possible, especially if object state limitations are used in roles.

Correção

Missing Authorization

Improper Preservation of Permissions

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-862CWE-281

Identificadores relacionados

CVE-2022-48367

GHSA-5X4F-7XGQ-R42X

GHSA-H5V2-WRHP-5V35

Produtos afetados

Ez Publish Ibexa Kernel

PT-2023-15742 · Ibexa · Ez Publish Ibexa Kernel

CVE-2022-48367

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 11