Ezsystems Ezplatform-Kernel vulnerabilities

CVE-2022-48365 [HIGH] CWE-269 Company admin role gives excessive privileges in eZ Platform Ibexa Company admin role gives excessive privileges in eZ Platform Ibexa Users with the Company admin role (introduced by the company account feature in v4) can assign any role to any user. This also applies to any other user that has the role / assign policy. Any subtree limitation in place does not have any effect. The role / assign policy is typically only given to administrators, which limits the sco

CVE-2022-48366 [LOW] CWE-362 Timing attack in eZ Platform Ibexa Timing attack in eZ Platform Ibexa Ibexa DXP is using random execution time to hinder timing attacks against user accounts, a method of discovering whether a given account exists in a system without knowing its password, thus affecting privacy. This implementation was found to not be good enough in some situations. The fix replaces this with constant time functionality, configured in the new security.yml parameter 'ibexa.security.a

CVE-2022-25336 [MEDIUM] CWE-668 Exposure of Resource to Wrong Sphere in ezsystems/ezplatform-kernel Exposure of Resource to Wrong Sphere in ezsystems/ezplatform-kernel When image files are uploaded, they are made accessible under a name similar to the original file name. There are two issues with this. Both require access to uploading images in order to exploit them, this limits the impact. The first issue is that certain injection attacks can be possible, since not all possible attack vectors

CVE-2021-46875 [HIGH] CWE-79 Cross-site scripting in eZ Platform Kernel Cross-site scripting in eZ Platform Kernel ### Impact In file upload it is possible by certain means to upload files like .html and .js. These may contain XSS exploits which will be run when links to them are accessed by victims. ### Patches The fix consists simply of adding common types of scriptable file types to the configuration of the already existing filetype blacklist feature. See "Patched versions". As such, this c