PT-2023-15742 · Ibexa · Ez Publish Ibexa Kernel
Patrick Allaert
·
Published
2022-04-29
·
Updated
2026-03-16
·
CVE-2022-48367
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
eZ Publish Ibexa Kernel versions prior to 7.5.28
Description
An issue was discovered where access control based on object state is mishandled. This issue affects a policy used in roles to limit access to content based on specific object state values. Due to a flawed update, these limitations were ineffective, granting access to content regardless of the object state. The severity of this issue depends on the frontend design, as knowing the URL to the content may or may not be required to access it.
Recommendations
For versions prior to 7.5.28, please apply the fix as soon as possible, especially if object state limitations are used in roles.
Fix
Missing Authorization
Improper Preservation of Permissions
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Ez Publish Ibexa Kernel