CVE-2022-48365: 
PHP vulnerability analysis and mitigation

An issue was discovered in eZ Platform Ibexa Kernel before version 1.3.26 where the Company admin role gives excessive privileges, identified as CVE-2022-48365. The vulnerability affects multiple versions including Ibexa DXP v3.3., v4.2., and eZ Platform v2.5.* (Ibexa Advisory).

The vulnerability is related to a role assignment policy where users with the Company admin role (introduced by the company account feature) can assign any role to any user. The critical issue stems from the fact that any subtree limitation in place does not have any effect. This applies to any user that has the role/assign policy. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows users with the Company admin role to bypass intended role assignment restrictions and assign any role to any user in the system. While this capability is typically limited to administrators, the vulnerability could lead to privilege escalation if exploited by unauthorized users who have the role/assign policy (Ibexa Advisory).

The vulnerability has been fixed in Ibexa DXP versions v3.3.28, v4.2.3, and eZ Platform v2.5.31. Organizations should upgrade to these patched versions to ensure subtree limitations work as intended. The fix ensures that role assignment restrictions are properly enforced (GitHub Advisory).