N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-x93p-w2ch-fg67

GHSA-x93p-w2ch-fg67: Ibexa User Bundle is missing password change validation

Impact

The vulnerability is in the password change dialog in the back office. During the transition from v4 to v5 a mistake was made in the validation code which caused the validation of the previous password to not run as expected. This made it possible for a logged in user to change password in the back office without knowing the previous password. For example if someone logs in, leaves their workstation unlocked, and another person uses the same machine.

Credit

The issue was reported to us by Code-Rhapsodie. We thank them for their responsible disclosure! https://www.code-rhapsodie.fr/

Patches

See "Patched versions".
https://github.com/ibexa/user/commit/9d485bf385e6401c9f7ee80287d8ccd00f73dcf4

Workarounds

None.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-x93p-w2ch-fg67

GHSA-x93p-w2ch-fg67:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
ibexa/user	composer	>= 5.0.0-beta1, < 5.0.4	5.0.4

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of the provided patch 9d485bf385e6401c9f7ee80287d8ccd00f73dcf4 reveals a flaw in the password change validation logic within the ibexa/user package. The vulnerability is located in the UserPasswordChangeData class constructor. Previously, the validation annotations for the old password were not being applied correctly, which resulted in the system not verifying the user's current password during a password change operation. The fix, which involves wrapping the NotBlank and UserPassword assertions within a Sequentially attribute, confirms that the constructor is the entry point for the vulnerable logic. Therefore, any runtime profile during an exploit of this vulnerability would show the Ibexa\User\Form\Data\UserPasswordChangeData::__construct function being called.

Vulnerable functions

Ibexa\User\Form\Data\UserPasswordChangeData::__construct

src/lib/Form/Data/UserPasswordChangeData.php

The vulnerability is in the constructor of the `UserPasswordChangeData` class. The `#[Assert\\NotBlank]` attribute was incorrectly used, preventing the `@UserAssert\\UserPassword()` validation from running. This allowed a logged-in user to change their password without providing their current password. The patch corrects this by using `#[Assert\\Sequentially]` to ensure both `NotBlank` and `UserPassword` validations are executed.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-x93p-w2ch-fg67: Ibexa User Bundle is missing password change validation

Impact

Credit

Patches

Workarounds

GHSA-x93p-w2ch-fg67:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

N/A

N/A

GHSA-x93p-w2ch-fg67: Ibexa User Bundle is missing password change validation

Impact

Credit

Patches

Workarounds

Basic Information

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI