Security Advisory IBEXA-SA-2022-003: Symfony validation messages are not escaped

Publication date: 21/04/2022, 14:33

Severity: Medium

Affected versions: ibexa/templated-uri-bundle v2.1.*, v3.3.*
Resolving versions: ibexa/templated-uri-bundle v2.1.0.1, v3.3.2.1

This security advisory is about a vulnerability in Symfony where validation messages are not escaped, which can lead to XSS when user input is included. There is no known exploit against Ibexa software, but we recommend applying the fix.

The issue is fixed in symfony/framework-bundle 2.8.50, 3.4.26, 4.1.12, and 4.2.7.
The Ibexa package ibexa/templated-uri-bundle requires these versions since v2.1.0.1 (eZ Platform v2.5), and v3.3.2.1 (Ibexa DXP v3.3 and v4).

Have you found a security bug in Ibexa DXP? See how to report it responsibly here: https://doc.ibexa.co/en/latest/guide/reporting_issues/

All security advisories

Tech blog

Get started with Ibexa DXP

Tutorials

Training

Slack

GitHub

Product roadmap

Community packages

REST API reference

GraphQL API docs

Product security at Ibexa

Security Advisories

Software service life

Issue tracker

Security advisory: IBEXA-SA-2022-003

Symfony validation messages are not escaped