Password Change Vulnerability in Ibexa DXP
CVE-2025-67719

8.5HIGH

Key Information:

Vendor

Ibexa

Status
User
Vendor
CVE Published:
11 December 2025

What is CVE-2025-67719?

Ibexa DXP, a robust digital experience platform, suffers from a significant vulnerability due to a flaw in its password validation process. In versions 5.0.0-beta1 to 5.0.3, an error was introduced during the transition from version 4 to version 5, allowing logged-in users to change their passwords without knowing the previous one. This could lead to unauthorized access if a user leaves their session unattended. With an attacker able to exploit an open session, the legitimate user could find themselves locked out of their account. The issue has been addressed in version 5.0.4, enhancing the security of user password changes.

Affected Version(s)

user >= 5.0.0-beta1, < 5.0.4

References

https://github.com/ibexa/user/security/advisories/GHSA-x9...
x_refsource_CONFIRM
https://github.com/ibexa/user/commit/9d485bf385e6401c9f7e...
x_refsource_MISC
https://developers.ibexa.co/security-advisories/ibexa-sa-...
x_refsource_MISC

CVSS V4

Score:
8.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-67719 : Password Change Vulnerability in Ibexa DXP