Home > Vulnerability Database > WS-2022-0388

Mend.io Vulnerability Database

WS-2022-0388

Date: August 19, 2025

In repository-forms prior to 2.5.15, users with the Company admin role (introduced by the company account feature in v4) can assign any role to any user. This also applies to any other user that has the role / assign policy. Any subtree limitation in place does not have any effect. The fix ensures that subtree limitations are working as intended.

Language: PHP

Severity Score

4.3

Related Resources (5)

Url: https://github.com/ezsystems/repository-forms/commit/cac51487f8a10e48448399bedb45a519874f1006

Url: https://github.com/ezsystems/repository-forms/security/advisories/GHSA-446q-xxg5-3vhh

Url: https://developers.ibexa.co/security-advisories/ibexa-sa-2022-009-critical-vulnerabilities-in-graphql-role-assignment-ct-editing-and-drafts-tooltips

Url: https://github.com/ezsystems/repository-forms

Url: https://www.mend.io/vulnerability-database/WS-2022-0388

Severity Score

4.3

Weakness Type (CWE)

Improper Privilege Management

CWE-269

CVSS v3.1

Base Score:	4.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

WS-2022-0388

Date: August 19, 2025

Language: PHP

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?