Name of the Vulnerable Software and Affected Versions:

Ibexa DXP and eZ Platform (affected versions not specified)

ezsystems/ezpublish-kernel (affected versions not specified)

Description:

The issue allows specifying the name of the downloaded file in the route used for file downloads, which could lead to misunderstandings and confusion, and possibly other harm. This is due to an unintended side effect of the implementation. The issue affects installations where downloadable files exist.

Recommendations:

For Ibexa DXP and eZ Platform, update to a version that includes the fix for the issue.

For ezsystems/ezpublish-kernel, update to a patched version.

As a temporary workaround, consider blocking all downloads until a patch is available.