GHSA-gv2c-5g79-h73c: 
PHP vulnerability analysis and mitigation

The vulnerability (GHSA-gv2c-5g79-h73c) affects the download route functionality in Ibexa DXP and eZ Platform systems. Discovered and disclosed on November 3, 2023, this vulnerability allows users to specify arbitrary filenames in download URLs, affecting versions of ezsystems/ezplatform-kernel >= 1.3.0 and < 1.3.34. The issue impacts all supported versions of Ibexa DXP and eZ Platform where downloadable files exist (GitHub Advisory, Ibexa Advisory).

The vulnerability stems from an implementation side effect in the file download route system. It allows the construction of download URLs with filenames that have no relation to the actual file being downloaded. The issue has been assigned a low severity rating, as it primarily affects the presentation of file downloads rather than system security directly (GitHub Advisory).

The primary impact of this vulnerability is the potential for misunderstandings and confusion among users, as downloaded files can be presented with names that don't match their actual content. This mismatch between displayed and actual filenames could potentially lead to user confusion and other unspecified harm (GitHub Advisory).

The vulnerability has been patched in version 1.3.34 of ezsystems/ezplatform-kernel. For affected systems, the only available workaround is to block all downloads entirely. The fix has been implemented across all supported versions of ezsystems/ezplatform-kernel, ezsystems/ezpublish-kernel, and ibexa/core (GitHub Advisory, Ibexa Advisory).