CVE-2022-48367: 
PHP vulnerability analysis and mitigation

An issue was discovered in eZ Publish Ibexa Kernel before version 7.5.28, identified as CVE-2022-48367. The vulnerability relates to mishandling of access control based on object state. This critical security flaw was discovered and reported by Patrick Allaert, affecting multiple versions of the Ibexa DXP and eZ Platform software (Vendor Advisory).

The vulnerability stems from a flawed update implemented on February 16th, 2022, which rendered object state limitations ineffective in role-based access control. The issue has a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a critical severity level with potential for complete system compromise (NVD).

The vulnerability allows unauthorized access to content regardless of object state values. When object state limitations are used in roles, the system grants access to the content irrespective of the configured state limitations. The impact severity depends on the frontend design, where content accessibility might require knowledge of specific URLs (Vendor Advisory).

The vulnerability has been patched in multiple versions: Ibexa DXP v4.1.2, v4.0.5, v3.3.18, and eZ Platform v2.5.29. Organizations using affected versions should immediately upgrade to the patched versions. The fix is distributed via Composer and addresses both the object state limitation issue and an associated Fastly cache purge vulnerability (Vendor Advisory).