Security advisory: IBEXA-SA-2024-005

Persistent XSS in RichText
Publication date:
14/08/2024, 13:17

Severity:
High

Affected versions: Ibexa DXP v3.3.* (ezsystems/ezplatform-richtext), Ibexa DXP v4.6.* (ibexa/fieldtype-richtext)
Resolving versions: Ibexa DXP v3.3.40 (ezsystems/ezplatform-richtext), Ibexa DXP v4.6.10 (ibexa/fieldtype-richtext)

This security advisory resolves a vulnerability in RichText fields. The validator blocklists javascript: and vbscript: in links to prevent XSS. This can leave other options open, and the check can be circumvented. Content editing permissions for RichText content is required to exploit this vulnerability, which typically means Editor role or higher. Injected XSS is persistent. The fix implements an allowlist instead, which allows only approved link protocols. The new check is case insensitive.

This vulnerability was discovered and reported to Ibexa by Alec Romano: https://github.com/4rdr
We thank them for reporting it responsibly to us.


Have you found a security bug in Ibexa DXP? See how to report it responsibly here: https://doc.ibexa.co/en/latest/guide/reporting_issues/

All security advisories