GHSA-g95c-xc83-8353: 
PHP vulnerability analysis and mitigation

The vulnerability (GHSA-g95c-xc83-8353) affects Ibexa DXP's download route functionality, discovered and disclosed on November 3, 2023. The issue impacts Ibexa DXP and eZ Platform versions >= 4.5.0 and < 4.5.4, specifically in installations where downloadable files exist. This vulnerability was assigned a low severity rating (GitHub Advisory).

The vulnerability exists in the download route implementation where the system allows users to specify the name of the downloaded file. This unintended functionality enables the construction of download URLs with filenames that have no relation to the actual file being downloaded. The issue was addressed in the commit 704f221 of the ibexa/core repository (Ibexa Commit).

The vulnerability could lead to misunderstandings and confusion among users, as attackers could potentially create download links with misleading filenames that don't match the actual content being downloaded. While the severity is classified as low, this could potentially be used for social engineering or phishing attempts (GitHub Advisory).

The vulnerability has been patched in version 4.5.4 of ibexa/core. For affected versions, the only available workaround is to block all downloads entirely. The fix has been implemented across all supported versions of ibexa/core, and similar advisories have been published for ezsystems/ezpublish-kernel and ezsystems/ezplatform-kernel (GitHub Advisory).