Name of the Vulnerable Software and Affected Versions Ibexa DXP versions 3.3.* through 3.3.27 Ibexa DXP versions 4.2.* through 4.2.2 eZ Platform versions 2.5.* through 2.5.30

Description Unauthenticated GraphQL queries for user accounts can expose password hashes of users that have created or modified content, typically but not necessarily limited to administrators and editors.

Recommendations For Ibexa DXP versions 3.3.* through 3.3.27, update to version 3.3.28 to resolve the issue. For Ibexa DXP versions 4.2.* through 4.2.2, update to version 4.2.3 to resolve the issue. For eZ Platform versions 2.5.* through 2.5.30, update to version 2.5.31 to resolve the issue. As a temporary workaround, consider removing the passwordHash entry from src/bundle/Resources/config/graphql/User.types.yaml in the GraphQL package, and other properties like hash type, email, login if preferred.