Security Advisory IBEXA-SA-2021-010: XSS in richtext custom tag attributes

Publication date: 25/11/2021, 13:15

Severity: Medium

Affected versions: ezsystems/ezplatform-richtext v2.3.*, ezsystems/ezplatform-admin-ui v1.5.*
Resolving versions: ezsystems/ezplatform-richtext v2.3.7.1, ezsystems/ezplatform-admin-ui v1.5.25.1

The rich text editor does not escape attribute data when previewing custom tags. This means XSS is possible if custom tags are used, for users who have access to editing rich text content. Frontend content view is not affected, but the vulnerability could be used by editors to attack other editors. The fix ensures custom tag attribute data is escaped in the editor. It affects Ibexa DXP v3.3 and eZ Platform v2.5.

Have you found a security bug in Ibexa DXP? See how to report it responsibly here: https://doc.ibexa.co/en/latest/guide/reporting_issues/

All security advisories

Tech blog

Get started with Ibexa DXP

Tutorials

Training

Slack

GitHub

Product roadmap

Community packages

REST API reference

GraphQL API docs

Product security at Ibexa

Security Advisories

Software service life

Issue tracker

Security advisory: IBEXA-SA-2021-010

XSS in richtext custom tag attributes