Ibexa Ez Platform Kernel vulnerabilities

7 known vulnerabilities affecting ibexa/ez_platform_kernel.

Total CVEs
7
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH1MEDIUM3LOW1

Vulnerabilities

Page 1 of 1
CVE-2022-48367CRITICALCVSS 9.8≥ 1.3.0, < 1.3.17≥ 7.5.0, < 7.5.282023-03-12
CVE-2022-48367 [CRITICAL] CWE-862 CVE-2022-48367: An issue was discovered in eZ Publish Ibexa Kernel before 7.5.28. Access control based on object sta An issue was discovered in eZ Publish Ibexa Kernel before 7.5.28. Access control based on object state is mishandled.
nvd
CVE-2022-48365HIGHCVSS 7.2≥ 1.3.0, < 1.3.26≥ 7.5.0, < 7.5.302023-03-12
CVE-2022-48365 [HIGH] CWE-269 CVE-2022-48365: An issue was discovered in eZ Platform Ibexa Kernel before 1.3.26. The Company admin role gives exce An issue was discovered in eZ Platform Ibexa Kernel before 1.3.26. The Company admin role gives excessive privileges.
nvd
CVE-2021-46875MEDIUMCVSS 6.1≥ 1.2.0, < 1.2.5.1≥ 1.3.0, < 1.3.1.1+2 more2023-03-12
CVE-2021-46875 [MEDIUM] CWE-79 CVE-2021-46875: An issue was discovered in eZ Platform Ibexa Kernel before 1.3.1.1. An XSS attack can occur because An issue was discovered in eZ Platform Ibexa Kernel before 1.3.1.1. An XSS attack can occur because JavaScript code can be uploaded in a .html or .js file.
nvd
CVE-2021-46876MEDIUMCVSS 5.3≥ 6.13.0, < 6.13.8.1≥ 7.5.0, < 7.5.15.12023-03-12
CVE-2021-46876 [MEDIUM] CWE-203 CVE-2021-46876: An issue was discovered in eZ Publish Ibexa Kernel before 7.5.15.1. The /user/sessions endpoint can An issue was discovered in eZ Publish Ibexa Kernel before 7.5.15.1. The /user/sessions endpoint can be abused to determine account existence.
nvd
CVE-2022-48366LOWCVSS 3.7≥ 1.3.0, < 1.3.19≥ 7.5.0, < 7.5.292023-03-12
CVE-2022-48366 [LOW] CWE-362 CVE-2022-48366: An issue was discovered in eZ Platform Ibexa Kernel before 1.3.19. It allows determining account exi An issue was discovered in eZ Platform Ibexa Kernel before 1.3.19. It allows determining account existence via a timing attack.
nvd
CVE-2022-25337CRITICALCVSS 9.8≥ 1.3.0, < 1.3.12≥ 7.5.0, < 7.5.262022-02-18
CVE-2022-25337 [CRITICAL] CWE-74 CVE-2022-25337: Ibexa DXP ezsystems/ezpublish-kernel 7.5.x before 7.5.26 and 1.3.x before 1.3.12 allows injection at Ibexa DXP ezsystems/ezpublish-kernel 7.5.x before 7.5.26 and 1.3.x before 1.3.12 allows injection attacks via image filenames.
nvd
CVE-2022-25336MEDIUMCVSS 5.3≥ 1.3.0, < 1.3.12≥ 7.5.0, < 7.5.262022-02-18
CVE-2022-25336 [MEDIUM] CWE-639 CVE-2022-25336: Ibexa DXP ezsystems/ezpublish-kernel 7.5.x before 7.5.26 and 1.3.x before 1.3.12 allows Insecure Dir Ibexa DXP ezsystems/ezpublish-kernel 7.5.x before 7.5.26 and 1.3.x before 1.3.12 allows Insecure Direct Object Reference (IDOR) attacks against image files because the image path and filename can be correctly deduced.
nvd