Security advisory: IBEXA-SA-2022-005

Vulnerabilities in Axios dependency
Publication date:
18/05/2022, 14:17

Severity:
High

Affected versions: ezsystems/ezcommerce-shop v3.3.*, ibexa/commerce-shop v4.0.*, v4.1.*
Resolving versions: ezsystems/ezcommerce-shop v3.3.17, ibexa/commerce-shop v4.0.6, v4.1.3

Ibexa Commerce is using a version of Axios with two known vulnerabilities: A server side request forgery, and an efficiency issue in regular expressions possibly allowing DOS attacks. There are no known exploits against Ibexa Commerce. The fix upgrades Axios to v0.21.2. It is included in Ibexa Commerce v3.3.19, v4.0.6, and v4.1.3.


Have you found a security bug in Ibexa DXP? See how to report it responsibly here: https://doc.ibexa.co/en/latest/guide/reporting_issues/

All security advisories