Severity:
Affected versions: Ibexa DXP v3.3.*, Ibexa DXP v4.6.* (several repositories, please see the description)
Resolving versions: Ibexa DXP v3.3.41, Ibexa DXP v4.6.14 (several repositories, please see the description)
This security advisory concerns three fixes released together, two of which are of critical severity. We strongly recommend applying the fixes as soon as possible if you are affected.
XSS in fields used in the Content name pattern
The Content name pattern is used to build Content names from one or more fields. An XSS vulnerability has been found in this mechanism. Content edit permission is required to exploit it.
Ibexa DXP v4.6: ibexa/admin-ui v4.6.14
Outdated jQuery-UI in v3.3 Commerce shop
Commerce shop v3.3 uses jQuery-UI, which needs to be upgraded due to an injection vulnerability. In v4.6, only users of the old Commerce solution are affected.
Ibexa DXP v4.6: ibexa/commerce-shop v4.6.14
Ibexa DXP v3.3: ezsystems/ezcommerce-shop v3.3.26
BREACH vulnerability in varnish VCL and vhost templates
Our Varnish VCL templates and Apache/Nginx vhost templates enable compression of API and JSON messages. This is a potential case of the BREACH vulnerability, which affects HTTP compression, where secrets can be extracted through carefully crafted requests. The fix disables compression. Please make sure to make the same change in your configuration files, see the release notes for specific instructions.
See also: https://www.breachattack.com/
Ibexa DXP v4.6: ibexa/http-cache v4.6.14, ibexa/post-install v4.6.14
Ibexa DXP v3.3: ezsystems/ezplatform-http-cache v2.3.16, ibexa/post-install v1.0.16
Have you found a security bug in Ibexa DXP? See how to report it responsibly here: https://doc.ibexa.co/en/latest/guide/reporting_issues/
