GHSA-394j-x37r-2q27: 
PHP vulnerability analysis and mitigation

The vulnerability (GHSA-394j-x37r-2q27) affects Ibexa DXP versions 4.2.0 through 4.2.3 and was disclosed on November 10, 2022. This critical security flaw allows users with the Company admin role to assign any role to any user, bypassing intended subtree limitations. The issue also affects any user that has the role/assign policy (GitHub Advisory, Ibexa Advisory).

The vulnerability stems from a failure in the subtree limitation functionality for role assignment policies. When users have the role/assign policy, any configured subtree limitations are ineffective, allowing unrestricted role assignments. This issue was particularly problematic with the Company admin role introduced in version 4 of the platform. The vulnerability was patched in version 4.2.3 by implementing proper subtree limitation checks (Ibexa Advisory).

The vulnerability allows unauthorized elevation of privileges within the system. While the role/assign policy is typically restricted to administrators, any user with this policy could assign any role to any user, effectively bypassing intended access control restrictions (GitHub Advisory).

The vulnerability has been fixed in Ibexa DXP version 4.2.3. Organizations should upgrade to this version to ensure proper enforcement of subtree limitations for role assignments. Additionally, administrators should review and verify which users have been granted the role/assign policy in their installations (GitHub Advisory).