CVE-2022-25336

Ibexa DXP ezsystems/ezpublish-kernel 7.5.x before 7.5.26 and 1.3.x before 1.3.12 allows Insecure Direct Object Reference (IDOR) attacks against image files because the image path and filename can be correctly deduced.

Published: Feb 18, 2022
Updated: Aug 9, 2023
CVE: CVE-2022-25336
GHSA: GHSA-x8xx-x82q-42q3
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.3
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:P/I:N/A:N

CWEs:

CWE-668
CWE-639

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
ibexa / ez_platform_kernel	1.3.0	1.3.12
ibexa / ez_platform_kernel	7.5.0	7.5.26
ezsystems / ezplatform-kernel	1.3.0	1.3.12

https://developers.ibexa.co/security-advisories/ibexa-sa-2022-001-image-filenames-sanitization

Vulnerability Database

289,782

CVE-2022-25336