CVE-2022-25336

Name of the Vulnerable Software and Affected Versions Ibexa DXP ezsystems/ezpublish-kernel versions 7.5.x through 7.5.25 Ibexa DXP ezsystems/ezpublish-kernel versions 1.3.x through 1.3.11

Description The issue allows Insecure Direct Object Reference (IDOR) attacks against image files because the image path and filename can be correctly deduced. When image files are uploaded, they are made accessible under a name similar to the original file name. This poses two issues: certain injection attacks can be possible due to not all possible attack vectors being removed from the original file name, and direct access to the images is not access controlled, allowing images not meant to be publicly accessible to be accessed if the image path and filename is correctly deduced or guessed.

Recommendations For Ibexa DXP ezsystems/ezpublish-kernel versions 7.5.x through 7.5.25, update to version 7.5.26 or later. For Ibexa DXP ezsystems/ezpublish-kernel versions 1.3.x through 1.3.11, update to version 1.3.12 or later. As a temporary workaround, consider restricting access to image files to minimize the risk of exploitation.