GHSA-8h83-chh2-fchp: 
PHP vulnerability analysis and mitigation

A critical vulnerability (CVE-2022-48365) was discovered in eZ Platform Ibexa Kernel before version 1.3.26, affecting multiple versions including Ibexa DXP v3.3., v4.2., and eZ Platform v2.5.*. The vulnerability relates to the Company admin role having excessive privileges, specifically in the role assignment functionality (Ibexa Advisory, GitHub Advisory).

The vulnerability is classified with a CVSS v3.1 Base Score of 7.2 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The issue stems from a privilege management weakness (CWE-269) where users with the Company admin role or any user that has the role/assign policy can assign any role to any user, bypassing intended subtree limitations (NVD).

The vulnerability allows users with the Company admin role to assign any role to any user, effectively bypassing security restrictions. This could lead to privilege escalation and unauthorized access to system resources. While the role/assign policy is typically limited to administrators, the vulnerability could have significant security implications if exploited (Ibexa Advisory).

The vulnerability has been patched in Ibexa DXP versions 3.3.28, 4.2.3, and eZ Platform version 2.5.31. Organizations are strongly recommended to upgrade to these patched versions as soon as possible. The fix ensures that subtree limitations work as intended (Ibexa Advisory).