Security advisory: IBEXA-SA-2021-004

Map/Host matcher exposes backend URL in the frontend
Publication date:
20/04/2021, 09:18

Severity:
High

Affected versions: ezsystems/ezplatform-page-builder v1.3.*, v2.2.*, v2.3.*
Resolving versions: ezsystems/ezplatform-page-builder v1.3.16.1, v2.2.3.1, v2.3.1.1

When using the Map/Host URL matcher, the frontend client-side code includes a reference to the backend URL. This in itself does not breach the backend. One would also need a valid login (and VPN access if network-level protections are in place). However it is better not to expose the backend URL. The fix ensures that the backend URL reference is only present when the frontend is called by the backend, as Page Builder does for preview purposes.

The issue affect releases that include Page Builder v1.3 and newer, so eZ Platform Enterprise Edition v2.5, and Ibexa Experience and Ibexa Commerce v3.2 and v3.3.


Have you found a security bug in Ibexa DXP? See how to report it responsibly here: https://doc.ezplatform.com/en/latest/guide/reporting_issues/

All security advisories