VulnerableCode Package Details - pkg:composer/ezsystems/ezplatform-kernel@1.3.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-7fty-j3wj-aqf4 Aliases: CVE-2022-25336 GHSA-x8xx-x82q-42q3	Exposure of Resource to Wrong Sphere Ibexa DXP ezsystems/ezpublish-kernel 7.5.x before 7.5.26 and 1.3.x before 1.3.12 allows Insecure Direct Object Reference (IDOR) attacks against image files because the image path and filename can be correctly deduced.	1.3.12 Affected by 0 other vulnerabilities. 7.5.26 Affected by 0 other vulnerabilities.
VCID-98jr-a3av-8faw Aliases: GHSA-w8qp-hmh5-4v9v GMS-2022-1044	Duplicate This advisory duplicates another.	1.3.17 Affected by 0 other vulnerabilities.
VCID-fjc8-x5ct-2uf3 Aliases: GHSA-gv2c-5g79-h73c GMS-2023-3987	Download route allows filename change ### Impact The route used for file downloads allows specifying the name of the downloaded file. This is an unintended side effect of the implementation, and means one could construct download URLs with filenames that have no relation to the actual file, which could lead to misunderstandings and confusion, and possibly other harm. As such it is a low severity vulnerability. It affects all supported versions of Ibexa DXP and eZ Platform, in installations where downloadable files exist. ### Patches The issue is fixed in all supported versions of ezsystems/ezplatform-kernel, see "Patched versions". An advisory is also published for ezsystems/ezpublish-kernel and ibexa/core, please see those repositories. Commit: https://github.com/ezsystems/ezplatform-kernel/commit/affa2520e5e986e477ca7f7c93b9ca2c30188063 ### Workarounds None, other than blocking all downloads. ### References https://developers.ibexa.co/security-advisories/ibexa-sa-2023-005-vulnerabilities-in-solr-search-and-file-downloads	1.3.34 Affected by 0 other vulnerabilities.
VCID-jz3f-vywm-v7a7 Aliases: CVE-2022-48366 GHSA-66m4-gc8h-hpjx	Timing attack in eZ Platform Ibexa Ibexa DXP is using random execution time to hinder timing attacks against user accounts, a method of discovering whether a given account exists in a system without knowing its password, thus affecting privacy. This implementation was found to not be good enough in some situations. The fix replaces this with constant time functionality, configured in the new security.yml parameter 'ibexa.security.authentication.constant_auth_time'. It will log a warning if the constant time is exceeded. If this happens the setting should be increased.	1.3.19 Affected by 0 other vulnerabilities.
VCID-m6hv-1sz4-mfff Aliases: GHSA-c737-jhwr-fqxj	Duplicate Advisory: Cross Site Scripting in eZ Platform Ibexa Kernel In file upload it is possible by certain means to upload files like .html and .js. These may contain XSS exploits which will be run when links to them are accessed by victims. Patches	1.3.1+1 Affected by 0 other vulnerabilities.
VCID-puj3-khrf-hfa6 Aliases: GHSA-mwvh-p3hx-x4gg	Ibexa Kernel's files with block listed extensions can be still saved to drafts File validation can be configured to reject certain files by file type. When this happens, validation fails, and the content can't be published. However, the file can be saved when saving the content draft. This means unwanted files can be present in storage, even if they are not easily accessible due to the content not being published. The fix ensures these unwanted file types are never stored. An attacker would need to have existing access to create content with a file field type to exploit this.	1.3.35 Affected by 0 other vulnerabilities.
VCID-veax-u5rr-4kbv Aliases: CVE-2022-48365 GHSA-qq2j-9pf8-g58c	Company admin role gives excessive privileges in eZ Platform Ibexa Users with the Company admin role (introduced by the company account feature in v4) can assign any role to any user. This also applies to any other user that has the role / assign policy. Any subtree limitation in place does not have any effect. The role / assign policy is typically only given to administrators, which limits the scope in most cases, but please verify who has this policy in your installaton. The fix ensures that subtree limitations are working as intended.	1.3.26 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-7fty-j3wj-aqf4
Aliases:
CVE-2022-25336
GHSA-x8xx-x82q-42q3

Exposure of Resource to Wrong Sphere Ibexa DXP ezsystems/ezpublish-kernel 7.5.x before 7.5.26 and 1.3.x before 1.3.12 allows Insecure Direct Object Reference (IDOR) attacks against image files because the image path and filename can be correctly deduced.

1.3.12
Affected by 0 other vulnerabilities.

7.5.26
Affected by 0 other vulnerabilities.

VCID-98jr-a3av-8faw
Aliases:
GHSA-w8qp-hmh5-4v9v
GMS-2022-1044

Duplicate This advisory duplicates another.

1.3.17
Affected by 0 other vulnerabilities.

VCID-fjc8-x5ct-2uf3
Aliases:
GHSA-gv2c-5g79-h73c
GMS-2023-3987

Download route allows filename change ### Impact The route used for file downloads allows specifying the name of the downloaded file. This is an unintended side effect of the implementation, and means one could construct download URLs with filenames that have no relation to the actual file, which could lead to misunderstandings and confusion, and possibly other harm. As such it is a low severity vulnerability. It affects all supported versions of Ibexa DXP and eZ Platform, in installations where downloadable files exist. ### Patches The issue is fixed in all supported versions of ezsystems/ezplatform-kernel, see "Patched versions". An advisory is also published for ezsystems/ezpublish-kernel and ibexa/core, please see those repositories. Commit: https://github.com/ezsystems/ezplatform-kernel/commit/affa2520e5e986e477ca7f7c93b9ca2c30188063 ### Workarounds None, other than blocking all downloads. ### References https://developers.ibexa.co/security-advisories/ibexa-sa-2023-005-vulnerabilities-in-solr-search-and-file-downloads

1.3.34
Affected by 0 other vulnerabilities.

VCID-jz3f-vywm-v7a7
Aliases:
CVE-2022-48366
GHSA-66m4-gc8h-hpjx

Timing attack in eZ Platform Ibexa Ibexa DXP is using random execution time to hinder timing attacks against user accounts, a method of discovering whether a given account exists in a system without knowing its password, thus affecting privacy. This implementation was found to not be good enough in some situations. The fix replaces this with constant time functionality, configured in the new security.yml parameter 'ibexa.security.authentication.constant_auth_time'. It will log a warning if the constant time is exceeded. If this happens the setting should be increased.

1.3.19
Affected by 0 other vulnerabilities.

VCID-m6hv-1sz4-mfff
Aliases:
GHSA-c737-jhwr-fqxj

Duplicate Advisory: Cross Site Scripting in eZ Platform Ibexa Kernel In file upload it is possible by certain means to upload files like .html and .js. These may contain XSS exploits which will be run when links to them are accessed by victims. Patches

1.3.1+1
Affected by 0 other vulnerabilities.

VCID-puj3-khrf-hfa6
Aliases:
GHSA-mwvh-p3hx-x4gg

Ibexa Kernel's files with block listed extensions can be still saved to drafts File validation can be configured to reject certain files by file type. When this happens, validation fails, and the content can't be published. However, the file can be saved when saving the content draft. This means unwanted files can be present in storage, even if they are not easily accessible due to the content not being published. The fix ensures these unwanted file types are never stored. An attacker would need to have existing access to create content with a file field type to exploit this.

1.3.35
Affected by 0 other vulnerabilities.

VCID-veax-u5rr-4kbv
Aliases:
CVE-2022-48365
GHSA-qq2j-9pf8-g58c

Company admin role gives excessive privileges in eZ Platform Ibexa Users with the Company admin role (introduced by the company account feature in v4) can assign any role to any user. This also applies to any other user that has the role / assign policy. Any subtree limitation in place does not have any effect. The role / assign policy is typically only given to administrators, which limits the scope in most cases, but please verify who has this policy in your installaton. The fix ensures that subtree limitations are working as intended.

1.3.26
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:47:24.401543+00:00	GitLab Importer	Affected by	VCID-puj3-khrf-hfa6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/ezsystems/ezplatform-kernel/GHSA-mwvh-p3hx-x4gg.yml	38.6.0
2026-06-02T04:46:14.658941+00:00	GitLab Importer	Affected by	VCID-fjc8-x5ct-2uf3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/ezsystems/ezplatform-kernel/GMS-2023-3987.yml	38.6.0
2026-06-02T04:44:14.654236+00:00	GitLab Importer	Affected by	VCID-veax-u5rr-4kbv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/ezsystems/ezplatform-kernel/CVE-2022-48365.yml	38.6.0
2026-06-02T04:44:14.512991+00:00	GitLab Importer	Affected by	VCID-m6hv-1sz4-mfff	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/ezsystems/ezplatform-kernel/GHSA-c737-jhwr-fqxj.yml	38.6.0
2026-06-02T04:44:14.412905+00:00	GitLab Importer	Affected by	VCID-jz3f-vywm-v7a7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/ezsystems/ezplatform-kernel/CVE-2022-48366.yml	38.6.0
2026-06-02T04:42:10.508364+00:00	GitLab Importer	Affected by	VCID-98jr-a3av-8faw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/ezsystems/ezplatform-kernel/GHSA-w8qp-hmh5-4v9v.yml	38.6.0
2026-06-02T04:41:39.036869+00:00	GitLab Importer	Affected by	VCID-7fty-j3wj-aqf4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/ezsystems/ezplatform-kernel/CVE-2022-25336.yml	38.6.0