GHSA-r3fg-3r88-6x3f – ibexa/user

Package

Manager: composer
Name: ibexa/user
Vulnerable Version: >=4.0.0 <4.4.3

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Ibexa User Settings are accessible on the front-end for anonymous user ### Impact This security advisory is about the user settings, which include things like preferred time zone and number of items per page in item listings. These could be accessed by the anonymous user. This impacted only the anonymous users themselves, and had no impact on logged in users. As such the impact is limited, even if custom user settings have been added, but please consider if this matters for your site. The fix ensures that only logged in users can access their user settings. ### References https://developers.ibexa.co/security-advisories/ibexa-sa-2023-002-user-settings-are-accessible-on-the-front-end-for-the-anonymous-user

Metadata

Created: 2023-05-10T21:25:28Z
Modified: 2023-05-11T20:12:31Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-r3fg-3r88-6x3f/GHSA-r3fg-3r88-6x3f.json
CWE IDs: []
Alternative ID: N/A
Finding: F308
Auto approve: 1