CVE-2025-67719
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-11

Last updated on: 2025-12-11

Assigner: GitHub, Inc.

Description
Ibexa is a composable end-to-end DXP (Digital Experience Platform). Versions 5.0.0-beta1 through 5.0.3 do not have password validation. During the transition from v4 to v5 an error was introduced into validation code which causes the validation of the previous password not to run as expected. This makes it possible for a logged in user to change their password in the back office without knowing the previous password. For example, if a user logs into their account and walks away without locking their workstation, an attacker could access the unattended session and change the password, therefore locking the legitimate user out. This issue is fixed in version 5.0.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-11
Last Modified
2025-12-11
Generated
2026-05-07
AI Q&A
2025-12-11
EPSS Evaluated
2026-05-05
NVD
CVE-2025-67719
EUVD
EUVD-2025-202462
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
ibexa dxp 5.0.3
ibexa dxp 5.0.4
ibexa dxp 5.0.0-beta1
ibexa dxp 5.0.1
ibexa dxp 5.0.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-620 When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in Ibexa versions 5.0.0-beta1 through 5.0.3, where due to an error introduced during the transition from version 4 to 5, the password validation code does not properly validate the previous password when a user attempts to change it. This flaw allows a logged-in user to change their password in the back office without knowing the current password, potentially enabling an attacker with access to an unattended logged-in session to change the password and lock out the legitimate user.


How can this vulnerability impact me? :

The vulnerability can allow an attacker who gains access to an unattended logged-in session to change the user's password without knowing the original password. This can result in the legitimate user being locked out of their account, leading to potential loss of access and control over the system or application.


What immediate steps should I take to mitigate this vulnerability?

Upgrade Ibexa DXP to version 5.0.4 or later, as this version contains the fix for the password validation issue that allows password changes without knowing the previous password.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves the ability of a logged-in user to change their password without knowing the previous password due to improper validation in the back office password change functionality. Detection would primarily involve verifying the version of the Ibexa DXP user package in use. Specifically, versions 5.0.0-beta1 through 5.0.3 are vulnerable, and the issue is fixed in version 5.0.4. There are no specific network or system commands provided to detect exploitation or presence of this vulnerability. The recommended approach is to check the installed version of the Ibexa user package and ensure it is updated to 5.0.4 or later. Since the vulnerability requires back office access and is related to password change validation, monitoring for unexpected password changes or unauthorized access to back office sessions may help detect exploitation, but no explicit commands or detection scripts are provided. [1, 3]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart