Security advisory: IBEXA-SA-2021-010

XSS in richtext custom tag attributes
Publication date:
25/11/2021, 13:15


Affected versions: ezsystems/ezplatform-richtext v2.3.*, ezsystems/ezplatform-admin-ui v1.5.*
Resolving versions: ezsystems/ezplatform-richtext v2.3.7.1, ezsystems/ezplatform-admin-ui v1.5.25.1

The rich text editor does not escape attribute data when previewing custom tags. This means XSS is possible if custom tags are used, for users who have access to editing rich text content. Frontend content view is not affected, but the vulnerability could be used by editors to attack other editors. The fix ensures custom tag attribute data is escaped in the editor. It affects Ibexa DXP v3.3 and eZ Platform v2.5.

Have you found a security bug in Ibexa DXP? See how to report it responsibly here:

All security advisories