Headline
CVE-2022-48365: Critical vulnerabilities in GraphQL, role assignment, CT editing, and drafts tooltips
An issue was discovered in eZ Platform Ibexa Kernel before 1.3.26. The Company admin role gives excessive privileges.
Publication date:
10/11/2022, 16:10
Severity:**
High
**
Affected versions: Ibexa DXP v3.3.*, v4.2.*, eZ Platform v2.5.*
Resolving versions: Ibexa DXP v3.3.28, v4.2.3, eZ Platform v2.5.31
This security advisory concerns several fixes released together, some of which are of critical severity.
We strongly recommend applying the fixes as soon as possible!
GraphQL exposes sensitive data of certain users (CVE-2022-41876)
Affected: Ibexa DXP v3.3.*, v4.2.*, eZ Platform v2.5.*
Fixed in: Ibexa DXP v3.3.28, v4.2.3, eZ Platform v2.5.31
Critical severity. The graphql endpoint exposes highly sensitive data of some users, including password hashes (not passwords), hash types, email addresses, and login names. Affected users are those who create and modify content. This means that in many cases, only administrators and editors are affected, as end users often do not have the required permissions. However, if your installation allows user-generated content, then all those who have submitted such content are affected.
Be sure to regenerate the graphql schema after applying the update.
Please see https://doc.ibexa.co/en/latest/api/graphql/graphql/#setup
Please ensure all affected users change their passwords. The fix includes a console command which can expire passwords of given users, to enfore the password change. The user group option is useful here, since it can help you expire passwords for all editors and administrators, for example.
Please see the command:
php bin/console ibexa:user:expire-password
This issue was reported to us by Philippe Tranca (“trancap”) of the company Lexfo. We are very grateful for their research, and responsible disclosure to us of this critical vulnerability. https://www.lexfo.fr/
Please note that the graphql endpoint is enabled by default, but it can be disabled or login can be made required.
See https://doc.ibexa.co/en/latest/infrastructure_and_maintenance/security/security_checklist/#use-secure-roles-and-policies
Subtree limitation for role assign policy does not have any effect
Affected: Ibexa DXP v3.3.*, v4.2.*, eZ Platform v2.5.*
Fixed in: Ibexa DXP v3.3.28, v4.2.3, eZ Platform v2.5.31
Critical severity. Users with the Company admin role (introduced by the company account feature in v4) can assign any role to any user. This also applies to any other user that has the role / assign policy. Any subtree limitation in place does not have any effect.
The role / assign policy is typically only given to administrators, which limits the scope in most cases, but please verify who has this policy in your installaton. The fix ensures that subtree limitations are working as intended.
XSS in Content Type name/shortname
Affected: Ibexa DXP v3.3.*, v4.2.*
Fixed in: Ibexa DXP v3.3.28, v4.2.3
Critical severity. It is possible to inject JavaScript XSS in the content type entries “name” and "short name". To exploit this, one must already have permission to edit content types, which limits it in many cases to people who are already administrators. However, please verify which users have this permission. The fix ensures any injections are escaped.
HTML tags can be injected in backend tooltips
Affected: Ibexa DXP v4.2.*
Fixed in: Ibexa DXP v4.2.3
High severity. It is possible to inject a limited subset of HTML tags (not JavaScript) in content draft names, which will be shown in tooltips on the “Drafts” page. These tags include links, which could lead away from the site and possibly be used in a phishing attack. To exploit it one must already be able to create content drafts, this limits the scope in many cases to editors and administrators. The fix ensures it is not possible to use such tags by default.
Related news
Users with the Company admin role (introduced by the company account feature in v4) can assign any role to any user. This also applies to any other user that has the role / assign policy. Any subtree limitation in place does not have any effect. The role / assign policy is typically only given to administrators, which limits the scope in most cases, but please verify who has this policy in your installaton. The fix ensures that subtree limitations are working as intended.
Organizations advised to mandate password resets out of caution
### Impact Unauthenticated GraphQL queries for user accounts can expose password hashes of users that have created or modified content, typically but not necessarily limited to administrators and editors. ### Patches Resolving versions: Ibexa DXP v1.0.13, v2.3.12 ### Workarounds Remove the "passwordHash" entry from "src/bundle/Resources/config/graphql/User.types.yaml" in the GraphQL package, and other properties like hash type, email, login if you prefer. ### References This issue was reported to us by Philippe Tranca ("trancap") of the company Lexfo. We are very grateful for their research, and responsible disclosure to us of this critical vulnerability. ### For more information If you have any questions or comments about this advisory, please contact Support via your service portal.
ezplatform-graphql is a GraphQL server implementation for Ibexa DXP and Ibexa Open Source. Versions prior to 2.3.12 and 1.0.13 are subject to Insecure Storage of Sensitive Information. Unauthenticated GraphQL queries for user accounts can expose password hashes of users that have created or modified content, typically administrators and editors. This issue has been patched in versions 2.3.12, and 1.0.13 on the 1.X branch. Users unable to upgrade can remove the "passwordHash" entry from "src/bundle/Resources/config/graphql/User.types.yaml" in the GraphQL package, and other properties like hash type, email, login if you prefer.