Jonas Roller

**Name of the Vulnerable Software and Affected Versions** eZ Platform Ibexa Kernel versions prior to 1.3.19 **Description** The issue allows determining account existence via a timing attack, affecting privacy. Ibexa DXP's implementation of random execution time to hinder timing attacks was found to be insufficient in some situations. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. Technical details about exploitation include the use of timing attacks against user accounts, which can discover whether a given account exists in a system without knowing its password. **Recommendations** For versions prior to 1.3.19, update to version 1.3.19 or later, which replaces the random execution time with constant time functionality, configured in the new security.yml parameter `ibexa.security.authentication.constant auth time`. As a temporary workaround, consider increasing the `ibexa.security.authentication.constant auth time` setting if a warning is logged due to the constant time being exceeded.

**Name of the Vulnerable Software and Affected Versions** Ibexa DXP ezsystems/ezpublish-kernel versions 7.5.x through 7.5.25 Ibexa DXP ezsystems/ezpublish-kernel versions 1.3.x through 1.3.11 **Description** The issue allows Insecure Direct Object Reference (IDOR) attacks against image files because the image path and filename can be correctly deduced. When image files are uploaded, they are made accessible under a name similar to the original file name. This poses two issues: certain injection attacks can be possible due to not all possible attack vectors being removed from the original file name, and direct access to the images is not access controlled, allowing images not meant to be publicly accessible to be accessed if the image path and filename is correctly deduced or guessed. **Recommendations** For Ibexa DXP ezsystems/ezpublish-kernel versions 7.5.x through 7.5.25, update to version 7.5.26 or later. For Ibexa DXP ezsystems/ezpublish-kernel versions 1.3.x through 1.3.11, update to version 1.3.12 or later. As a temporary workaround, consider restricting access to image files to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Ibexa DXP ezsystems/ezpublish-kernel versions 7.5.x through 7.5.25 Ibexa DXP ezsystems/ezpublish-kernel versions 1.3.x through 1.3.11 **Description** The issue allows injection attacks via image filenames when image files are uploaded. This is possible because not all possible attack vectors are removed from the original file name. Additionally, direct access to the images is not access controlled, which can allow images not meant to be publicly accessible to be accessed if the image path and filename are correctly deduced or guessed. **Recommendations** For versions 7.5.x through 7.5.25, update to version 7.5.26 or later to resolve the issue. For versions 1.3.x through 1.3.11, update to version 1.3.12 or later to resolve the issue. As a temporary workaround, consider restricting access to image uploading functionality to minimize the risk of exploitation.