GHSA-gvj8-4cj4-h776: 
PHP vulnerability analysis and mitigation

A critical vulnerability was discovered in ibexa/core affecting versions 4.0. and 4.1. related to object state limitations. The vulnerability was disclosed on April 28, 2022, and was identified as GHSA-gvj8-4cj4-h776. The issue affected the object state limitation policy functionality in Ibexa DXP and eZ Platform systems, which is used to control content access based on specific object state values (Ibexa Advisory, GitHub Advisory).

The vulnerability stemmed from a flawed update implemented on February 16th, 2022, which rendered object state limitations ineffective. The security mechanism would incorrectly grant access to content regardless of the object state values. The issue was assigned a Critical severity rating, though no specific CVSS score was provided (GitHub Advisory).

The vulnerability allowed unauthorized access to content that should have been restricted by object state limitations. The impact severity varied depending on the frontend design, where access to content URLs might have been required. For organizations using object state limitations in their roles, this vulnerability was considered critical as it completely bypassed the intended access controls (Ibexa Advisory).

The vulnerability was patched in versions 4.0.5 and 4.1.2 of ibexa/core. Organizations were strongly advised to apply these fixes as soon as possible, particularly if they were using object state limitations in their roles (GitHub Advisory, Ibexa Advisory).

The vulnerability was initially reported by security researcher Patrick Allaert, who was credited for responsible disclosure (Ibexa Advisory).