GHSA-g6jc-xrc3-4wwq: 
PHP vulnerability analysis and mitigation

The vulnerability (GHSA-g6jc-xrc3-4wwq) affects Ibexa DXP versions 4.2.0 through 4.2.3 and was disclosed on November 10, 2022. This critical security issue involves a role assignment vulnerability where users with the Company admin role or any user with role/assign policy could assign any role to any user, bypassing intended subtree limitations (GitHub Advisory, Ibexa Advisory).

The vulnerability stems from a failure in the subtree limitation mechanism for role assignment policies. When users have the role/assign policy, any configured subtree limitations were ineffective, allowing unrestricted role assignments across the system. This particularly affected the Company admin role introduced in version 4 of the platform (Ibexa Advisory).

The vulnerability allows unauthorized elevation of privileges within the system. While the role/assign policy is typically restricted to administrators, any user with this policy could assign any role to any user, potentially leading to unauthorized access and privilege escalation (GitHub Advisory).

The vulnerability was patched in Ibexa DXP version 4.2.3. Organizations should upgrade to this version or later to ensure subtree limitations work as intended. It is recommended to audit who has access to the role/assign policy in existing installations (GitHub Advisory).