Security Advisory IBEXA-SA-2021-004: Map/Host matcher exposes backend URL in the frontend

Publication date: 20/04/2021, 09:18

Severity: High

Affected versions: ezsystems/ezplatform-page-builder v1.3.*, v2.2.*, v2.3.*
Resolving versions: ezsystems/ezplatform-page-builder v1.3.16.1, v2.2.3.1, v2.3.1.1

When using the Map/Host URL matcher, the frontend client-side code includes a reference to the backend URL. This in itself does not breach the backend. One would also need a valid login (and VPN access if network-level protections are in place). However it is better not to expose the backend URL. The fix ensures that the backend URL reference is only present when the frontend is called by the backend, as Page Builder does for preview purposes.

The issue affect releases that include Page Builder v1.3 and newer, so eZ Platform Enterprise Edition v2.5, and Ibexa Experience and Ibexa Commerce v3.2 and v3.3.

Have you found a security bug in Ibexa DXP? See how to report it responsibly here: https://doc.ibexa.co/en/latest/guide/reporting_issues/

All security advisories

Tech blog

Get started with Ibexa DXP

Tutorials

Training

Slack

GitHub

Product roadmap

Community packages

REST API reference

GraphQL API docs

Product security at Ibexa

Security Advisories

Software service life

Issue tracker

Security advisory: IBEXA-SA-2021-004

Map/Host matcher exposes backend URL in the frontend