Improper Authentication

ibexa/user is vulnerable to improper authentication. The vulnerability is due to an error in the password validation logic during the transition from v4 to v5, which allows an attacker to change the account password without knowing the previous password by exploiting an active authenticated sessi...

EUVD-2025-202462

Ibexa is a composable end-to-end DXP Digital Experience Platform. Versions 5.0.0-beta1 through 5.0.3 do not have password validation. During the transition from v4 to v5 an error was introduced into validation code which causes the validation of the previous password not to run as expected. This...

CVE-2025-67719 Ibexa User Bundle is missing password change validation

Ibexa is a composable end-to-end DXP Digital Experience Platform. Versions 5.0.0-beta1 through 5.0.3 do not have password validation. During the transition from v4 to v5 an error was introduced into validation code which causes the validation of the previous password not to run as expected. This...

Ibexa User Bundle 安全漏洞

Ibexa User Bundle is an open source content management system from Ibexa. A security vulnerability exists in Ibexa User Bundle versions 5.0.0-beta1 through 5.0.3, which stems from a lack of password validation that could cause a logged-in user to change their password without having to know the o...

GHSA-X93P-W2CH-FG67 Ibexa User Bundle is missing password change validation

Impact The vulnerability is in the password change dialog in the back office. During the transition from v4 to v5 a mistake was made in the validation code which caused the validation of the previous password to not run as expected. This made it possible for a logged in user to change password in...

Ibexa User Bundle is missing password change validation

Impact The vulnerability is in the password change dialog in the back office. During the transition from v4 to v5 a mistake was made in the validation code which caused the validation of the previous password to not run as expected. This made it possible for a logged in user to change password in...

Unverified Password Change

Overview Affected versions of this package are vulnerable to Unverified Password Change via the password change process in the back office. An attacker can gain unauthorized access to change account credentials by exploiting the lack of previous password validation during the password change...

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure via the login process. An attacker can determine the existence of user accounts by analyzing differences in error messages presented during authentication attempts. Remediation Upgrade ibexa/user to version 5.0.3 or...

EUVD-2025-34904

ibexa/user login enumerates user accounts...