Security advisory: IBEXA-SA-2024-002

File validation and workflow stages
Publication date:
20/03/2024, 17:39


Affected versions: Ibexa DXP v4.6.*, v4.5.*, v3.3.*
Resolving versions: Ibexa DXP v4.6.2, v4.5.6, v3.3.37

This security advisory resolves two vulnerabilities, fixed in the respective releases for all supported branches.

File validation can be configured to reject certain files by file type. When this happens, validation fails, and the content can't be published. However, the file can be saved when saving the content draft. This means unwanted files can be present in storage, even if they are not easily accessible due to the content not being published. An attacker would need to have existing access to create content with a file field type to exploit this. The fix ensures these unwanted file types are never stored.

The limitations check for "workflow / change stage" is not properly done. This means that if a role configures access limited to specific workflow transitions, a backend user can be able to chose transitions they should not be able to. An attacker would need to have existing access to editing content in the backend to exploit this. The fix ensures limitations are properly handled.

Have you found a security bug in Ibexa DXP? See how to report it responsibly here:

All security advisories