VulnerableCode Package Details - pkg:composer/ezsystems/ezplatform-kernel@1.3.20

Search for packages

Vulnerability	Summary	Fixed by
VCID-14tx-3uh7-gyaa Aliases: GHSA-8h83-chh2-fchp GMS-2022-6754	eZ Platform users with the Company admin role can assign any role to any user Critical severity. Users with the Company admin role (introduced by the company account feature in v4) can assign any role to any user. This also applies to any other user that has the role / assign policy. Any subtree limitation in place does not have any effect. The role / assign policy is typically only given to administrators, which limits the scope in most cases, but please verify who has this policy in your installaton. The fix ensures that subtree limitations are working as intended.	1.3.26 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 4.0.0-alpha1 Affected by 0 other vulnerabilities.
VCID-fjc8-x5ct-2uf3 Aliases: GHSA-gv2c-5g79-h73c GMS-2023-3987	Download route allows filename change ### Impact The route used for file downloads allows specifying the name of the downloaded file. This is an unintended side effect of the implementation, and means one could construct download URLs with filenames that have no relation to the actual file, which could lead to misunderstandings and confusion, and possibly other harm. As such it is a low severity vulnerability. It affects all supported versions of Ibexa DXP and eZ Platform, in installations where downloadable files exist. ### Patches The issue is fixed in all supported versions of ezsystems/ezplatform-kernel, see "Patched versions". An advisory is also published for ezsystems/ezpublish-kernel and ibexa/core, please see those repositories. Commit: https://github.com/ezsystems/ezplatform-kernel/commit/affa2520e5e986e477ca7f7c93b9ca2c30188063 ### Workarounds None, other than blocking all downloads. ### References https://developers.ibexa.co/security-advisories/ibexa-sa-2023-005-vulnerabilities-in-solr-search-and-file-downloads	1.3.34 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 4.0.0-alpha1 Affected by 0 other vulnerabilities.
VCID-puj3-khrf-hfa6 Aliases: GHSA-mwvh-p3hx-x4gg	Ibexa Kernel's files with block listed extensions can be still saved to drafts File validation can be configured to reject certain files by file type. When this happens, validation fails, and the content can't be published. However, the file can be saved when saving the content draft. This means unwanted files can be present in storage, even if they are not easily accessible due to the content not being published. The fix ensures these unwanted file types are never stored. An attacker would need to have existing access to create content with a file field type to exploit this.	1.3.35 Affected by 0 other vulnerabilities. 4.0.0-alpha1 Affected by 0 other vulnerabilities.
VCID-veax-u5rr-4kbv Aliases: CVE-2022-48365 GHSA-qq2j-9pf8-g58c	Company admin role gives excessive privileges in eZ Platform Ibexa Users with the Company admin role (introduced by the company account feature in v4) can assign any role to any user. This also applies to any other user that has the role / assign policy. Any subtree limitation in place does not have any effect. The role / assign policy is typically only given to administrators, which limits the scope in most cases, but please verify who has this policy in your installaton. The fix ensures that subtree limitations are working as intended.	1.3.26 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-14tx-3uh7-gyaa
Aliases:
GHSA-8h83-chh2-fchp
GMS-2022-6754

eZ Platform users with the Company admin role can assign any role to any user Critical severity. Users with the Company admin role (introduced by the company account feature in v4) can assign any role to any user. This also applies to any other user that has the role / assign policy. Any subtree limitation in place does not have any effect. The role / assign policy is typically only given to administrators, which limits the scope in most cases, but please verify who has this policy in your installaton. The fix ensures that subtree limitations are working as intended.

1.3.26
Affected by 2 other vulnerabilities.

4.0.0-alpha1
Affected by 0 other vulnerabilities.

VCID-fjc8-x5ct-2uf3
Aliases:
GHSA-gv2c-5g79-h73c
GMS-2023-3987

Download route allows filename change ### Impact The route used for file downloads allows specifying the name of the downloaded file. This is an unintended side effect of the implementation, and means one could construct download URLs with filenames that have no relation to the actual file, which could lead to misunderstandings and confusion, and possibly other harm. As such it is a low severity vulnerability. It affects all supported versions of Ibexa DXP and eZ Platform, in installations where downloadable files exist. ### Patches The issue is fixed in all supported versions of ezsystems/ezplatform-kernel, see "Patched versions". An advisory is also published for ezsystems/ezpublish-kernel and ibexa/core, please see those repositories. Commit: https://github.com/ezsystems/ezplatform-kernel/commit/affa2520e5e986e477ca7f7c93b9ca2c30188063 ### Workarounds None, other than blocking all downloads. ### References https://developers.ibexa.co/security-advisories/ibexa-sa-2023-005-vulnerabilities-in-solr-search-and-file-downloads

1.3.34
Affected by 1 other vulnerability.

4.0.0-alpha1
Affected by 0 other vulnerabilities.

VCID-puj3-khrf-hfa6
Aliases:
GHSA-mwvh-p3hx-x4gg

Ibexa Kernel's files with block listed extensions can be still saved to drafts File validation can be configured to reject certain files by file type. When this happens, validation fails, and the content can't be published. However, the file can be saved when saving the content draft. This means unwanted files can be present in storage, even if they are not easily accessible due to the content not being published. The fix ensures these unwanted file types are never stored. An attacker would need to have existing access to create content with a file field type to exploit this.

1.3.35
Affected by 0 other vulnerabilities.

4.0.0-alpha1
Affected by 0 other vulnerabilities.

VCID-veax-u5rr-4kbv
Aliases:
CVE-2022-48365
GHSA-qq2j-9pf8-g58c

Company admin role gives excessive privileges in eZ Platform Ibexa Users with the Company admin role (introduced by the company account feature in v4) can assign any role to any user. This also applies to any other user that has the role / assign policy. Any subtree limitation in place does not have any effect. The role / assign policy is typically only given to administrators, which limits the scope in most cases, but please verify who has this policy in your installaton. The fix ensures that subtree limitations are working as intended.

1.3.26
Affected by 2 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T04:46:12.575578+00:00	GitLab Importer	Affected by	VCID-puj3-khrf-hfa6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/ezsystems/ezplatform-kernel/GHSA-mwvh-p3hx-x4gg.yml	38.6.0
2026-06-06T04:17:12.049646+00:00	GitLab Importer	Affected by	VCID-fjc8-x5ct-2uf3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/ezsystems/ezplatform-kernel/GMS-2023-3987.yml	38.6.0
2026-06-06T03:34:04.058674+00:00	GitLab Importer	Affected by	VCID-veax-u5rr-4kbv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/ezsystems/ezplatform-kernel/CVE-2022-48365.yml	38.6.0
2026-06-06T03:10:31.543800+00:00	GitLab Importer	Affected by	VCID-14tx-3uh7-gyaa	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/ezsystems/ezplatform-kernel/GMS-2022-6754.yml	38.6.0