GHSA-q3x8-6898-23g3: 
PHP vulnerability analysis and mitigation

A user enumeration vulnerability was identified in ibexa/user package, tracked as GHSA-q3x8-6898-23g3. The vulnerability affects Ibexa DXP versions 5.0.0 through 5.0.3, discovered and disclosed on October 17, 2025. The issue allows potential attackers to determine whether specific user accounts exist in the system through error message analysis (Ibexa Advisory, GitHub Advisory).

The vulnerability is classified with a CVSS v4 base score of 6.9 (Moderate severity). The technical assessment shows the vulnerability has Network attack vector, Low attack complexity, requires No privileges, and No user interaction. The vulnerability is related to CWE-209 (Generation of Error Message Containing Sensitive Information), where the application provides error messages that could reveal sensitive information about user accounts (GitHub Advisory).

The vulnerability allows attackers to enumerate valid user accounts in the system through analysis of error messages. This could potentially facilitate further attacks by identifying valid user accounts for subsequent exploitation attempts (Ibexa Advisory).

The vulnerability has been patched in version 5.0.3 of ibexa/user. The fix involves making error messages sufficiently ambiguous to prevent user enumeration. No workarounds are available, and users are advised to upgrade to the patched version (GitHub Advisory, Ibexa Advisory).