Security Advisory IBEXA-SA-2024-001: Taxonomy Tree Controller fails to check permissions

Publication date: 05/02/2024, 14:05

Severity: Medium

Affected versions: Ibexa DXP v4.5.* (ibexa/taxonomy)
Resolving versions: Ibexa DXP v4.5.5 (ibexa/taxonomy)

The Taxonomy tree controller fails to apply permission checks in one case. This means someone who already has backend access but no access to taxonomy tags, can still see taxonomy tags and identifiers by crafting a manual request. Installations that use taxonomy tags and have backend users without taxonomy access may be affected.

This vulnerability was reported to us by Matthias Schmidt from adesso SE at https://www.adesso.de/
We thank them for their research, and responsibly disclosing the issue to us.

Have you found a security bug in Ibexa DXP? See how to report it responsibly here: https://doc.ibexa.co/en/latest/guide/reporting_issues/

All security advisories

Tech blog

Get started with Ibexa DXP

Tutorials

Training

Slack

GitHub

Product roadmap

Community packages

REST API reference

GraphQL API docs

Product security at Ibexa

Security Advisories

Software service life

Issue tracker

Security advisory: IBEXA-SA-2024-001

Taxonomy Tree Controller fails to check permissions