NotCVE - vendor:"Ibexa" product:"Ez Platform Kernel" version:" >= 1.3.0

6 results (0.002 seconds)

CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0

CVE-2021-46875

https://notcve.org/view.php?id=CVE-2021-46875

12 Mar 2023 — An issue was discovered in eZ Platform Ibexa Kernel before 1.3.1.1. An XSS attack can occur because JavaScript code can be uploaded in a .html or .js file. • https://github.com/ezsystems/ezpublish-kernel/commit/29fecd2afe86f763510f10c02f14962d028f311b • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.3EPSS: 0%CPEs: 5EXPL: 0

CVE-2022-48365

https://notcve.org/view.php?id=CVE-2022-48365

12 Mar 2023 — An issue was discovered in eZ Platform Ibexa Kernel before 1.3.26. The Company admin role gives excessive privileges. • https://developers.ibexa.co/security-advisories/ibexa-sa-2022-009-critical-vulnerabilities-in-graphql-role-assignment-ct-editing-and-drafts-tooltips • CWE-269: Improper Privilege Management •

CVSS: 3.7EPSS: 0%CPEs: 15EXPL: 0

CVE-2022-48366

https://notcve.org/view.php?id=CVE-2022-48366

12 Mar 2023 — An issue was discovered in eZ Platform Ibexa Kernel before 1.3.19. It allows determining account existence via a timing attack. • https://developers.ibexa.co/security-advisories/ibexa-sa-2022-006-vulnerabilities-in-page-builder-login-and-commerce • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •

CVSS: 10.0EPSS: 0%CPEs: 11EXPL: 0

CVE-2022-48367

https://notcve.org/view.php?id=CVE-2022-48367

12 Mar 2023 — An issue was discovered in eZ Publish Ibexa Kernel before 7.5.28. Access control based on object state is mishandled. • https://developers.ibexa.co/security-advisories/ibexa-sa-2022-004-ineffective-object-state-limitation-and-unauthenticated-fastly-purge • CWE-862: Missing Authorization •

CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0

CVE-2022-25336

https://notcve.org/view.php?id=CVE-2022-25336

18 Feb 2022 — Ibexa DXP ezsystems/ezpublish-kernel 7.5.x before 7.5.26 and 1.3.x before 1.3.12 allows Insecure Direct Object Reference (IDOR) attacks against image files because the image path and filename can be correctly deduced. Ibexa DXP ezsystems/ezpublish-kernel versiones 7.5.x anteriores a 7.5.26 y versiones 1.3.x anteriores a 1.3.12, permite ataques de Referencia Directa a Objetos Insegura (IDOR) contra archivos de imagen porque la ruta de la imagen y el nombre del archivo pueden ser deducidos correctamente • https://developers.ibexa.co/security-advisories/ibexa-sa-2022-001-image-filenames-sanitization • CWE-639: Authorization Bypass Through User-Controlled Key •

CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0

CVE-2022-25337

https://notcve.org/view.php?id=CVE-2022-25337

18 Feb 2022 — Ibexa DXP ezsystems/ezpublish-kernel 7.5.x before 7.5.26 and 1.3.x before 1.3.12 allows injection attacks via image filenames. Ibexa DXP ezsystems/ezpublish-kernel versiones 7.5.x anteriores a 7.5.26 y versiones 1.3.x anteriores a 1.3.12, permite ataques de inyección por medio de nombres de archivos de imágenes • https://developers.ibexa.co/security-advisories/ibexa-sa-2022-001-image-filenames-sanitization • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •