Affected versions: eZ Platform 2.x
Resolving versions: ezsystems/ezplatform-admin-ui-assets v4.2.0 (eZ Platform v2.5.3)
In eZ Platform 2.x, ezsystems/ezplatform-admin-ui-assets before v4.2.0 includes jQuery version 3.3.1. This version of jQuery is affected by the security vulnerability https://www.cvedetails.com/cve/CVE-2019-11358/
This is fixed in jQuery version 3.4. We recommend that you upgrade your ezsystems/ezplatform-admin-ui-assets to v4.2.0 using Composer. This release includes jQuery 3.4.1.
This issue was reported to us by Carlos Revillo from The Cocktail:
We are very grateful for his research, and responsible disclosure to us.
Have you found a security bug in Ibexa DXP? See how to report it responsibly here: https://doc.ibexa.co/en/latest/guide/reporting_issues/