Security Advisory IBEXA-SA-2023-002: User Settings are accessible on the front-end for the anonymous user

Publication date: 10/05/2023, 14:35

Severity: Medium

Affected versions: Ibexa DXP v4.4.*
Resolving versions: Ibexa DXP v4.4.3 and v4.5.0

This security advisory is about the user settings, which include things like preferred time zone and number of items per page in item listings. These could be accessed by the anonymous user. This impacted only the anonymous users themselves, and had no impact on logged in users. As such the impact is limited, even if custom user settings have been added, but please consider if this matters for your site. The fix ensures that only logged in users can access their user settings.

Have you found a security bug in Ibexa DXP? See how to report it responsibly here: https://doc.ibexa.co/en/latest/guide/reporting_issues/

All security advisories

Tech blog

Get started with Ibexa DXP

Tutorials

Training

Slack

GitHub

Product roadmap

Community packages

REST API reference

GraphQL API docs

Product security at Ibexa

Security Advisories

Software service life

Issue tracker

Security advisory: IBEXA-SA-2023-002

User Settings are accessible on the front-end for the anonymous user