GHSA-r3fg-3r88-6x3f

Source

https://github.com/advisories/GHSA-r3fg-3r88-6x3f

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-r3fg-3r88-6x3f/GHSA-r3fg-3r88-6x3f.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-r3fg-3r88-6x3f

Published

2023-05-10T21:25:28Z

Modified

2024-11-30T05:37:23.694583Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS Calculator

Summary

Ibexa User Settings are accessible on the front-end for anonymous user

Details

Impact

This security advisory is about the user settings, which include things like preferred time zone and number of items per page in item listings. These could be accessed by the anonymous user. This impacted only the anonymous users themselves, and had no impact on logged in users. As such the impact is limited, even if custom user settings have been added, but please consider if this matters for your site. The fix ensures that only logged in users can access their user settings.

References

https://developers.ibexa.co/security-advisories/ibexa-sa-2023-002-user-settings-are-accessible-on-the-front-end-for-the-anonymous-user

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-10T21:25:28Z"
}

References

Affected packages

Packagist / ibexa/user

Package

Name: ibexa/user
Purl: pkg:composer/ibexa/user

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.4.3

Affected versions

v4.*

v4.0.0

v4.0.1

v4.0.2

v4.0.3

v4.0.4

v4.0.5

v4.0.6

v4.0.7

v4.0.8

v4.1.0-beta1

v4.1.0-rc1

v4.1.0

v4.1.1

v4.1.2

v4.1.3

v4.1.4

v4.1.5

v4.2.0-beta1

v4.2.0-rc1

v4.2.0

v4.2.1

v4.2.2

v4.2.3

v4.2.4

v4.3.0-beta1

v4.3.0-rc1

v4.3.0

v4.3.1

v4.3.2

v4.3.3

v4.3.4

v4.3.5

v4.4.0-beta1

v4.4.0-rc1

v4.4.0

v4.4.1

v4.4.2