N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-67719

CVE-2025-67719: Ibexa User Bundle is missing password change validation

Impact

The vulnerability is in the password change dialog in the back office. During the transition from v4 to v5 a mistake was made in the validation code which caused the validation of the previous password to not run as expected. This made it possible for a logged in user to change password in the back office without knowing the previous password. For example if someone logs in, leaves their workstation unlocked, and another person uses the same machine.

Credit

The issue was reported to us by Code-Rhapsodie. We thank them for their responsible disclosure! https://www.code-rhapsodie.fr/

Patches

See "Patched versions".
https://github.com/ibexa/user/commit/9d485bf385e6401c9f7ee80287d8ccd00f73dcf4

Workarounds

None.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-67719

CVE-2025-67719:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
ibexa/user	composer	>= 5.0.0-beta1, < 5.0.4	5.0.4

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of the security patch reveals that the vulnerability is located in the UserPasswordChangeData.php file. The change from #[Assert\\NotBlank] to #[Assert\\Sequentially([...])] for the $oldPassword property within the __construct method indicates that the original validation was flawed. The #[Assert\\NotBlank] attribute likely prevented the UserAssert\\UserPassword validation from running, which is responsible for verifying the old password. The fix ensures both validations run sequentially. Therefore, the constructor of the UserPasswordChangeData class is the vulnerable function as it's responsible for setting up the incorrect validation logic.

Vulnerable functions

Ibexa\User\Form\Data\UserPasswordChangeData::__construct

src/lib/Form/Data/UserPasswordChangeData.php

The vulnerability is in the constructor of the `UserPasswordChangeData` class, where the validation for the old password was incorrectly configured. The `#[Assert\\NotBlank]` attribute on the `$oldPassword` property prevented the custom `UserPassword` validator from executing, thus skipping the check of the old password. An attacker could exploit this by submitting a password change request without knowing the current password.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-67719: Ibexa User Bundle is missing password change validation

Impact

Credit

Patches

Workarounds

CVE-2025-67719:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

N/A

N/A

CVE-2025-67719: Ibexa User Bundle is missing password change validation

Impact

Credit

Patches

Workarounds

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI