Name of the Vulnerable Software and Affected Versions:

Ibexa DXP and eZ Platform versions (affected versions not specified)

Description:

The issue allows specifying the name of the downloaded file in the route used for file downloads, which could lead to misunderstandings, confusion, and possibly other harm. This is due to an unintended side effect of the implementation. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited.

Recommendations:

For all supported versions of Ibexa DXP and eZ Platform, update ibexa/core to the patched version.

As a temporary workaround, consider blocking all downloads until the issue is resolved.