CVE-2022-25337
Description
Ibexa DXP ezsystems/ezpublish-kernel 7.5.x before 7.5.26 and 1.3.x before 1.3.12 allows injection attacks via image filenames.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Image filename injection in Ibexa DXP/ezpublish-kernel allows attacks via insufficient sanitization; fixed in versions 7.5.26 and 1.3.12.
Vulnerability
The vulnerability affects ezsystems/ezpublish-kernel 7.5.x before 7.5.26 and ezsystems/ezplatform-kernel 1.3.x before 1.3.12. Image filenames are not properly sanitized, enabling injection attacks. Additionally, direct access to uploaded images is not access-controlled by design, potentially exposing non-public images [3].
Exploitation
An attacker needs the ability to upload images. By uploading a file with a crafted filename, injection attacks can be performed against the system or users viewing the image. The lack of access control on image paths also allows dictionary attacks to guess filenames and access images not intended to be public [3].
Impact
Successful exploitation can lead to injection attacks (e.g., script or HTML injection) and unauthorized disclosure of images that should be restricted. The severity is rated High [3].
Mitigation
Fixed versions are ezsystems/ezpublish-kernel v7.5.26 and ezsystems/ezplatform-kernel v1.3.12. After upgrading, administrators should run php bin/console ibexa:images:normalize-paths to sanitize existing images, clear HTTP and persistence cache, and run php bin/console liip:imagine:cache:remove. New images are automatically protected [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ezsystems/ezpublish-kernelPackagist | >= 7.5.0, < 7.5.26 | 7.5.26 |
Affected products
3- Ibexa DXP/ezpublish-kerneldescription
- Range: >=7.5.0,<7.5.26 || >=1.3.0,<1.3.12
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-xwv6-v7qx-f5jcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-25337ghsaADVISORY
- developers.ibexa.co/security-advisories/ibexa-sa-2022-001-image-filenames-sanitizationghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.