Main Vulnerability Database Vulnerabilities #VU119819

Unverified Password Change in Ibexa DXP - #VU119819

Published: December 10, 2025

Vulnerability identifier: #VU119819

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-620

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Ibexa

Affected software:
Ibexa DXP

Detailed vulnerability description

The vulnerability allows an attacker to perform unverified password change.

The vulnerability exists due to an error in the validation code which caused the validation of the previous password to fail. An attacker with access to the user's current session can change passwords in the back office without knowing the previous password.

Remediation

Install updates from vendor's website.

Sources

https://ezplatform.com/security-advisories/ibexa-sa-2025-005-password-change-and-xss-vulnerabilities-in-back-office

Unverified Password Change in Ibexa DXP - #VU119819

Detailed vulnerability description

Remediation

Sources

Please verify you're human