Did you miss the Ibexa Summit? Experience it as if you were there — watch all the replays now!

Security advisory: IBEXA-SA-2025-001

Vulnerabilities in shopping cart and publish unscheduling
Publication date:
04/03/2025, 16:52

Severity:
High

Affected versions: Ibexa DXP v4.6.* (several repositories, please see the description)
Resolving versions: Ibexa DXP v4.6.17 (several repositories, please see the description)

This security advisory includes two fixes released together, one of which is of critical severity. We strongly recommend applying the fixes as soon as possible if you are affected.

CartOwner permission limitation exposes carts

This fixes a critical vulnerability in the REST API regarding shopping carts. The cart owner policy limitation fails to limit cart queries correctly. This enables authenticated REST requests to query all carts, provided that the authenticated user has the cart view policy. The returned carts contain information about the cart contents and a user identifier. The fix ensures that when the owner limitation is present, only the user's own cart will be returned.

This vulnerability was discovered and reported to Ibexa by Corentin JACQUIER from Coexya. We thank them for reporting it responsibly to us!

Fixed in ibexa/cart v4.6.17

Unauthorized user can cancel scheduled publish events

This fixes a medium to high vulnerability in publish scheduling. When content is scheduled to be published in the future, this schedule can be edited or cancelled. When editing the schedule, content edit/create policies are checked. Cancelling the schedule, however, can be done by any user that has backend access and read, versionread and reverse related list policies. The fix ensures that edit/create policies are correctly checked.

Fixed in ibexa/scheduler v4.6.17

Dependency upgrades

The release also upgrades the requirements for Twig to v3.19 and PHPSpreadsheet to v1.29.9, resolving several vulnerabilities of varying severity in those dependencies. Installations using PHP v7.x will receive Twig v3.11, but this is not a problem as the vulnerability only appear in v3.16. However we strongly recommend upgrading PHP to v8.2/8.3 for general performance and security reasons.

Fixed in twig/twig v3.19.0 and phpoffice/phpspreadsheet v1.29.9

Twig vulnerability: https://github.com/twigphp/Twig/security/advisories/GHSA-3xg3-cgvq-2xwr 

PHPSpreadsheet vulnerabilities: https://github.com/PHPOffice/PhpSpreadsheet/security 

Have you found a security bug in Ibexa DXP? See how to report it responsibly here: https://doc.ibexa.co/en/latest/infrastructure_and_maintenance/security/reporting_issues/

All security advisories