CVE-2022-25336
Description
Ibexa DXP ezsystems/ezpublish-kernel 7.5.x before 7.5.26 and 1.3.x before 1.3.12 allows Insecure Direct Object Reference (IDOR) attacks against image files because the image path and filename can be correctly deduced.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Insecure Direct Object Reference (IDOR) in Ibexa DXP / eZ Platform image upload allows unauthorized access to image files.
Vulnerability
In Ibexa DXP (ezsystems/ezpublish-kernel) versions 7.5.x before 7.5.26 and 1.3.x before 1.3.12, uploaded image files are stored with a predictable path and filename based on the original file name. This lack of access control over image files enables an Insecure Direct Object Reference (IDOR) attack. The affected versions include all releases prior to the fixes, as listed in advisory IBEXA-SA-2022-001 [1][3]. The vulnerability is inherent to the image storage mechanism, which deliberately does not enforce access controls for performance reasons.
Exploitation
To exploit this vulnerability, an attacker needs to have access to upload images to the system (a prerequisite that limits the attack surface). With that access, the attacker can deduce or guess the full path and filename of other stored images because the naming convention is predictable. No authentication is required for the read operation; the attacker simply sends HTTP GET requests for the guessed file paths. The advisory notes that dictionary attacks can be used to enumerate filenames [3].
Impact
Successful exploitation allows an attacker to access any image file stored on the system, including those intended to be private. This leads to unauthorized information disclosure. While the attacker cannot modify or delete the images, they can retrieve sensitive visual data (e.g., confidential documents, personal photos) if such images are uploaded. The vulnerability does not directly enable remote code execution or privilege escalation, but the data leakage can have significant privacy and security implications.
Mitigation
The vulnerability is fixed in versions ezsystems/ezpublish-kernel 7.5.26 and ezsystems/ezplatform-kernel 1.3.12, released on 18 January 2022 [3]. The fix implements a new image file naming scheme: the original filename is better sanitized and a 12-character secure random hash is prepended, making unauthorized access prohibitively difficult. Administrators must run php bin/console ibexa:images:normalize-paths after upgrading to ensure all existing images are renamed correctly, then clear both HTTP and persistence cache, and finally run php bin/console liip:imagine:cache:remove to remove old cached thumbnails [3]. No workaround is available; upgrading to the patched version is required.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ezsystems/ezplatform-kernelPackagist | >= 1.3.0, < 1.3.12 | 1.3.12 |
Affected products
3- Ibexa DXP/ezpublish-kerneldescription
- Range: <7.5.26, <1.3.12
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-x8xx-x82q-42q3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-25336ghsaADVISORY
- developers.ibexa.co/security-advisories/ibexa-sa-2022-001-image-filenames-sanitizationghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.