Ibexa Kernel and Kernel for eZ Platform users assigned with Company role can assign any role to any user

Advisories

severity: high
date: March 12, 2023
Affecting: ezpublish-kernel versions 7.5.0 upto 7.5.30
ezplatform-kernel versions 1.3.0 upto 1.3.26
CVE: CVE-2022-48365
CVE type: Privilege Defined With Unsafe Actions
CVSS: 8.7
CVSS V3 Vector: AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
References: GHSA-99r3-xmmq-7q7g
GHSA-8h83-chh2-fchp
ibexa advisory
fix commit