GHSA-5x4f-7xgq-r42x: 
PHP vulnerability analysis and mitigation

An object state limitation vulnerability was discovered in eZ Publish Ibexa Kernel before version 7.5.28, identified as GHSA-5x4f-7xgq-r42x. The vulnerability was disclosed on April 28, 2022, affecting multiple versions of Ibexa DXP and eZ Platform components. The issue stems from ineffective object state limitations in roles that control access to content based on specific object state values (Ibexa Advisory, GitHub Advisory).

The vulnerability arose from a flawed update released on February 16th, 2022, which caused object state limitations to become ineffective. The issue resulted in granting access to content regardless of the object state, essentially bypassing the intended access control mechanisms. The vulnerability received a CVSS v3.1 Base Score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating high severity across confidentiality, integrity, and availability impacts (NVD).

The vulnerability could allow unauthorized access to content that should be restricted based on object state values. The impact severity depends on how the frontend is designed, where knowledge of content URLs may or may not be required to exploit the vulnerability. For organizations using object state limitations in their roles, this issue was deemed critical as it could lead to unauthorized access to protected content (Ibexa Advisory).

The vulnerability was patched in multiple versions including Ibexa DXP v4.1.2, v4.0.5, v3.3.18, and eZ Platform v2.5.29. Organizations were strongly advised to apply the fixes as soon as possible, particularly if they were using object state limitations in their roles (Ibexa Advisory).