Security Advisory IBEXA-SA-2024-005: Persistent XSS in RichText

Publication date: 14/08/2024, 13:17

Severity: High

Affected versions: Ibexa DXP v3.3.* (ezsystems/ezplatform-richtext), Ibexa DXP v4.6.* (ibexa/fieldtype-richtext)
Resolving versions: Ibexa DXP v3.3.40 (ezsystems/ezplatform-richtext), Ibexa DXP v4.6.10 (ibexa/fieldtype-richtext)

This security advisory resolves a vulnerability in RichText fields. The validator blocklists javascript: and vbscript: in links to prevent XSS. This can leave other options open, and the check can be circumvented. Content editing permissions for RichText content is required to exploit this vulnerability, which typically means Editor role or higher. Injected XSS is persistent. The fix implements an allowlist instead, which allows only approved link protocols. The new check is case insensitive.

This vulnerability was discovered and reported to Ibexa by Alec Romano: https://github.com/4rdr
We thank them for reporting it responsibly to us.

Have you found a security bug in Ibexa DXP? See how to report it responsibly here: https://doc.ibexa.co/en/latest/guide/reporting_issues/

All security advisories

Tech blog

Get started with Ibexa DXP

Tutorials

Training

Slack

GitHub

Product roadmap

Community packages

REST API reference

GraphQL API docs

Product security at Ibexa

Security Advisories

Software service life

Issue tracker

Security advisory: IBEXA-SA-2024-005

Persistent XSS in RichText