CVE-2022-25336Authorization Bypass Through User-Controlled Key in EZ Platform Kernel

CWE-639Authorization Bypass Through User-Controlled KeyCWE-668Resource Exposure3 documents3 sources
Severity
5.3MEDIUMNVD
EPSS
0.2%
top 59.08%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Ibexa EZ Platform KernelEzsystems Ezplatform-kernel
Timeline
PublishedFeb 18
Latest updateFeb 19

Description

Ibexa DXP ezsystems/ezpublish-kernel 7.5.x before 7.5.26 and 1.3.x before 1.3.12 allows Insecure Direct Object Reference (IDOR) attacks against image files because the image path and filename can be correctly deduced.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

NVDibexa/ez_platform_kernel1.3.01.3.12+1
Packagistezsystems/ezplatform-kernel1.3.01.3.12

🔴Vulnerability Details

2
OSV
Exposure of Resource to Wrong Sphere in ezsystems/ezplatform-kernel2022-02-19
GHSA
Exposure of Resource to Wrong Sphere in ezsystems/ezplatform-kernel2022-02-19