Security advisory: IBEXA-SA-2022-007

Vulnerabilities in jQuery, Vue dependencies
Publication date:
07/10/2022, 15:24


Affected versions: ezsystems/ezcommerce-shop v3.3.*, ezsystems/ezcommerce-transaction v1.0.*, ibexa/commerce-shop v4.2.*, ibexa/commerce-transaction v4.2.*
Resolving versions: ezsystems/ezcommerce-shop v3.3.22, ezsystems/ezcommerce-transaction v1.0.10, ibexa/commerce-shop v4.2.2, ibexa/commerce-transaction v4.2.2

This vulnerability affects Ibexa Commerce v3.3 and newer. Commerce bundles the JavaScript dependencies jQuery and Vue in versions that are unsupported and have known security issues. There are no known exploits against these, given how they are used in Commerce. Regardless, it is important to bring them up to date. This advisory updates jQuery to v3.6 and Vue to v2.6.14. It is included in Ibexa Commerce v3.3.22 and v4.2.2, which were released today.

Have you found a security bug in Ibexa DXP? See how to report it responsibly here:

All security advisories