CVE-2022-25337

Name of the Vulnerable Software and Affected Versions Ibexa DXP ezsystems/ezpublish-kernel versions 7.5.x through 7.5.25 Ibexa DXP ezsystems/ezpublish-kernel versions 1.3.x through 1.3.11

Description The issue allows injection attacks via image filenames when image files are uploaded. This is possible because not all possible attack vectors are removed from the original file name. Additionally, direct access to the images is not access controlled, which can allow images not meant to be publicly accessible to be accessed if the image path and filename are correctly deduced or guessed.

Recommendations For versions 7.5.x through 7.5.25, update to version 7.5.26 or later to resolve the issue. For versions 1.3.x through 1.3.11, update to version 1.3.12 or later to resolve the issue. As a temporary workaround, consider restricting access to image uploading functionality to minimize the risk of exploitation.