Security advisory: IBEXA-SA-2022-009

This security advisory concerns several fixes released together, some of which are of critical severity.
We strongly recommend applying the fixes as soon as possible!

GraphQL exposes sensitive data of certain users (CVE-2022-41876)

Affected: Ibexa DXP v3.3.*, v4.2.*, eZ Platform v2.5.*
Fixed in: Ibexa DXP v3.3.28, v4.2.3, eZ Platform v2.5.31
Critical severity. The graphql endpoint exposes highly sensitive data of some users, including password hashes (not passwords), hash types, email addresses, and login names. Affected users are those who create and modify content.  This means that in many cases, only administrators and editors are affected, as end users often do not have the required permissions. However, if your installation allows user-generated content, then all those who have submitted such content are affected.

Be sure to regenerate the graphql schema after applying the update.
Please see https://doc.ibexa.co/en/latest/api/graphql/graphql/#setup

Please ensure all affected users change their passwords. The fix includes a console command which can expire passwords of given users, to enfore the password change. The user group option is useful here, since it can help you expire passwords for all editors and administrators, for example.
Please see the command:

php bin/console ibexa:user:expire-password

This issue was reported to us by Philippe Tranca ("trancap") of the company Lexfo. We are very grateful for their research, and responsible disclosure to us of this critical vulnerability. https://www.lexfo.fr/

Please note that the graphql endpoint is enabled by default, but it can be disabled or login can be made required.
See https://doc.ibexa.co/en/latest/infrastructure_and_maintenance/security/security_checklist/#use-secure-roles-and-policies

Subtree limitation for role assign policy does not have any effect

Affected: Ibexa DXP v3.3.*, v4.2.*, eZ Platform v2.5.*
Fixed in: Ibexa DXP v3.3.28, v4.2.3, eZ Platform v2.5.31
Critical severity. Users with the Company admin role (introduced by the company account feature in v4) can assign any role to any user. This also applies to any other user that has the role / assign policy. Any subtree limitation in place does not have any effect.

The role / assign policy is typically only given to administrators, which limits the scope in most cases, but please verify who has this policy in your installaton. The fix ensures that subtree limitations are working as intended.

XSS in Content Type name/shortname

Affected: Ibexa DXP v3.3.*, v4.2.*
Fixed in: Ibexa DXP v3.3.28, v4.2.3
Critical severity. It is possible to inject JavaScript XSS in the content type entries "name" and "short name". To exploit this, one must already have permission to edit content types, which limits it in many cases to people who are already administrators. However, please verify which users have this permission. The fix ensures any injections are escaped.

HTML tags can be injected in backend tooltips

Affected: Ibexa DXP v4.2.*
Fixed in: Ibexa DXP v4.2.3
High severity. It is possible to inject a limited subset of HTML tags (not JavaScript) in content draft names, which will be shown in tooltips on the "Drafts" page. These tags include links, which could lead away from the site and possibly be used in a phishing attack. To exploit it one must already be able to create content drafts, this limits the scope in many cases to editors and administrators. The fix ensures it is not possible to use such tags by default.