CVE-2022-41876: 
PHP vulnerability analysis and mitigation

ezplatform-graphql, a GraphQL server implementation for Ibexa DXP and Ibexa Open Source, contained a critical vulnerability (CVE-2022-41876) that allowed unauthenticated GraphQL queries to expose password hashes of users who had created or modified content, primarily affecting administrators and editors. The vulnerability was discovered in versions prior to 2.3.12 and was reported by Philippe Tranca of Lexfo (GitHub Advisory).

The vulnerability existed in the GraphQL implementation where the 'passwordHash' entry in 'src/bundle/Resources/config/graphql/User.types.yaml' was exposed through unauthenticated queries. This affected multiple versions including Ibexa DXP v3.3., v4.2., and eZ Platform v2.5.* (GitHub Advisory).

The vulnerability allowed unauthorized access to user password hashes, particularly those of administrators and editors who had created or modified content. This could potentially lead to unauthorized access to administrative accounts if the hashes were successfully cracked (GitHub Advisory).

The issue was patched in versions v1.0.13 and v2.3.12. As a workaround, users can remove the 'passwordHash' entry from 'src/bundle/Resources/config/graphql/User.types.yaml' in the GraphQL package. Additional sensitive properties like hash type, email, and login can also be removed for enhanced security (GitHub Advisory).