Security advisory: IBEXA-SA-2022-006

Vulnerabilities in Page Builder, login, and Commerce
Publication date:
31/05/2022, 15:11


Affected versions: ezsystems/ezplatform-page-builder v1.3.*, v2.3.*, ezsystems/JMSPaymentCoreBundle v3.0.*, ezsystems/ezcommerce-shop v2.5.*, v3.3.*, ibexa/commerce-shop v4.0.*, v4.1.*, ezsystems/ezpublish-kernel v7.5.*, ezsystems/ezplatform-kernel v1.3.*, ibexa/core v4.0.*, v4.1.*
Resolving versions: ezsystems/ezplatform-page-builder v1.3.27, v2.3.19, ezsystems/JMSPaymentCoreBundle v3.0.2, ezsystems/ezcommerce-shop v2.5.13, v3.3.18, ibexa/commerce-shop v4.0.7, v4.1.4, ezsystems/ezpublish-kernel v7.5.29, ezsystems/ezplatform-kernel v1.3.19, ibexa/core v4.0.7, v4.1.4

This security advisory is about three vulnerabilities affecting several components and versions. We recommend applying the fixes as soon as possible, to avoid any issues. They are included in Ibexa DXP v3.3.20, v4.0.7, v4.1.4 and eZ Platform v2.5.30.

Page builder cache poisoning

This vulnerability affects Page Builder, meaning Ibexa Experience and Commerce are affected, v2.5 and newer. It is possible for a client to bypass Edge Side Includes (ESI) and cause landing pages to be built inline and cached without ESIs. This cached version will be served to other clients, making it a form of cache poisoning. The attacker has no further control over the cached content, which limits the severity. The fix ensures the client has no way of affecting the cache.

Login timing attack

Ibexa DXP is using random execution time to hinder timing attacks against user accounts, a method of discovering whether a given account exists in a system without knowing its password, thus affecting privacy. This implementation was found to not be good enough in some situations. The fix replaces this with constant time functionality, configured in the new security.yml parameter ''. It will log a warning if the constant time is exceeded. If this happens the setting should be increased.

This issue was reported to us by Christoph Rottermanner and Jonas Roller from it.sec. We are very grateful for their research, and responsible disclosure to us. it.sec is a consulting company founded in 1996 that offers consulting services in the areas of information security, IT compliance & data protection and IT forensics/discovery. Their employees have been conducting security investigations for their customers for years, advising and implementing holistic security concepts. See

SSL verification disabled in Commerce

For certain connections, Ibexa Commerce has disabled verification of the peer's certificate. This allows using self-signed certificates, but can potentially also allow man-in-the-middle attacks. The fix ensures certificate verification is enabled. If you are using self-signed certificates, you will need to get a properly signed certificate. This vulnerability affects Ibexa Commerce v3.3 and newer.

Please beware that while the fix affects ERP and PayPal integrations in Ibexa Commerce v3.3 and v4, these integrations are at present only supported in v3.3. Support in v4 is in progress and will be included in a later release.

Have you found a security bug in Ibexa DXP? See how to report it responsibly here:

All security advisories