N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-q3x8-6898-23g3

EPSS Score

CWE

CWE-209

Published

10/17/2025

Updated

10/17/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-q3x8-6898-23g3

GHSA-q3x8-6898-23g3: ibexa/user login enumerates user accounts

Impact

In v5, error messages could provide enough information to tell whether a user exists or not. This is resolved by ensuring the error messages are sufficiently ambigious.

Patches

See "Patched versions".

Workarounds

None.

Resources

https://developers.ibexa.co/security-advisories/ibexa-sa-2025-004-xss-and-enumeration-vulnerabilities-in-back-office

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-q3x8-6898-23g3

EPSS Score

CWE

CWE-209

Published

10/17/2025

Updated

10/17/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
ibexa/user	composer	>= 5.0.0, < 5.0.3	5.0.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability described is a user enumeration issue in the login functionality of ibexa/user. The provided information indicates that error messages were too specific, allowing an attacker to determine if a user account exists. The patch was identified by comparing the git tags for the last vulnerable version (v5.0.2) and the first patched version (v5.0.3). The relevant commit b7c88ec4492b8be98acc5bfb2e4708334157a5e2 has the message "IBX-10654: Made authorization error messages less verbose", which directly relates to the vulnerability description.

The analysis of this commit shows a modification in the onAuthenticationFailure method of the DefaultAuthenticationFailureHandler class. The change involves intercepting a BadCredentialsException and replacing its message with a generic "Bad credentials." message. This prevents the application from leaking information about the validity of a username during a failed login attempt. Therefore, the onAuthenticationFailure function is the key vulnerable function, as it was responsible for handling and exposing the detailed error messages that led to the user enumeration vulnerability.

Vulnerable functions

Ibexa\Bundle\User\Security\Authentication\DefaultAuthenticationFailureHandler::onAuthenticationFailure

src/bundle/Security/Authentication/DefaultAuthenticationFailureHandler.php

The vulnerability lies in the `onAuthenticationFailure` method within the `DefaultAuthenticationFailureHandler` class. Prior to the patch, this method would propagate the original `AuthenticationException`. This exception could contain specific error messages that would allow an attacker to distinguish between a non-existent user and a user with an incorrect password, thus enabling user enumeration. The patch mitigates this by catching `BadCredentialsException` and replacing it with a new exception containing the generic message 'Bad credentials.', effectively masking the underlying reason for the authentication failure.

WAF Protection Rules

WAF Rule

### Imp**t In v*, *rror m*ss***s *oul* provi** *nou** in*orm*tion to t*ll w**t**r * us*r *xists or not. T*is is r*solv** *y *nsurin* t** *rror m*ss***s *r* su**i*i*ntly *m*i*ious. ### P*t***s S** "P*t**** v*rsions". ### Work*roun*s Non*. ### R*sou

Reasoning

T** vuln*r**ility **s*ri*** is * us*r *num*r*tion issu* in t** lo*in *un*tion*lity o* `i**x*/us*r`. T** provi*** in*orm*tion in*i**t*s t**t *rror m*ss***s w*r* too sp**i*i*, *llowin* *n *tt**k*r to **t*rmin* i* * us*r ***ount *xists. T** p*t** w*s i*

N/A

Basic Information

Concerned about an active attack path?

GHSA-q3x8-6898-23g3: ibexa/user login enumerates user accounts

Impact

Patches

Workarounds

Resources

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI