Impact
A user having insufficient permissions is able to access the system information tabs if they type in the direct link (the link is not shown in the menu). The "Setup / System info" policy should be required to access it, but only backend login is currently required. This means any editor can see core system information, including the output from phpinfo(). This affects ezsystems/ez-support-tools v2.2, part of Ibexa DXP v3.2. Older versions are not affected.
Patches
ezsystems/ez-support-tools v2.2.3
Credit
This issue was reported to us by Mark Krogoll from Comwrap. We are very grateful for their research, and responsible disclosure to us.
https://comwrap.com/
For more information
https://doc.ibexa.co/en/latest/guide/reporting_issues/
https://developers.ibexa.co/security-advisories
Impact
A user having insufficient permissions is able to access the system information tabs if they type in the direct link (the link is not shown in the menu). The "Setup / System info" policy should be required to access it, but only backend login is currently required. This means any editor can see core system information, including the output from phpinfo(). This affects ezsystems/ez-support-tools v2.2, part of Ibexa DXP v3.2. Older versions are not affected.
Patches
ezsystems/ez-support-tools v2.2.3
Credit
This issue was reported to us by Mark Krogoll from Comwrap. We are very grateful for their research, and responsible disclosure to us.
https://comwrap.com/
For more information
https://doc.ibexa.co/en/latest/guide/reporting_issues/
https://developers.ibexa.co/security-advisories