Severity:
Affected versions: Ibexa DXP v3.3.* (ezsystems/ezplatform-workflow v2.3.*, ezsystems/ezplatform-site-factory v1.3.*, ezsystems/ezplatform-form-builder v2.3.*, ezsystems/ezplatform-segmentation v1.1.*, ezsystems/ezplatform-admin-ui v2.3.*, ezsystems/ezplatform-admin-ui-assets v5.3.*, ezsystems/ezcommerce-shop v3.3.*), and Ibexa DXP v4.6.* (ibexa/product-catalog v4.6.*, ibexa/shipping v4.6.*, ibexa/content-tree v4.6.*, ibexa/workflow v4.6.*, ibexa/segmentation v4.6.*, ibexa/site-factory v4.6.*, ibexa/form-builder v4.6.*, ibexa/storefront v4.6.*, ibexa/admin-ui v4.6.*, ibexa/admin-ui-assets v4.6.*, ibexa/fieldtype-richtext v4.6.*, ibexa/taggify v1.2.*)
Resolving versions: Ibexa DXP v3.3.43 (ezsystems/ezplatform-workflow v2.3.20, ezsystems/ezplatform-site-factory v1.3.17, ezsystems/ezplatform-form-builder v2.3.20, ezsystems/ezplatform-segmentation v1.1.13, ezsystems/ezplatform-admin-ui v2.3.38, ezsystems/ezplatform-admin-ui-assets v5.3.5, ezsystems/ezcommerce-shop v3.3.27), and Ibexa DXP v4.6.21 (ibexa/product-catalog v4.6.21, ibexa/shipping v4.6.21, ibexa/content-tree v4.6.21, ibexa/workflow v4.6.21, ibexa/segmentation v4.6.21, ibexa/site-factory v4.6.21, ibexa/form-builder v4.6.21, ibexa/storefront v4.6.21, ibexa/admin-ui v4.6.21, ibexa/admin-ui-assets v4.6.21, ibexa/fieldtype-richtext v4.6.21, ibexa/taggify v1.2.2)
This security advisory resolves XSS vulnerabilities in several parts of the back office of the DXP. Back office access and varying levels of editing and management permissions are required to exploit these vulnerabilities. This typically means Editor or Administrator role, or similar. Injected XSS is persistent and can be reflected in the front office, possibly affecting end users. The fixes ensure XSS is escaped, and any existing injected XSS is rendered harmless.
The Code Block in Page Builder is a special case. It's designed to accept any HTML, which includes embedded JavaScript. This means that XSS necessarily remains possible in the Code Block. As site administrator you should be aware of this when giving editors access to the Page Builder features, and limit that access only to highly trusted editors. It is possible to limit access to specific blocks per content type, where you can define which page blocks are available to an editor. Please see the documentation:
https://doc.ibexa.co/projects/userguide/en/4.6/content_management/configure_ct_field_settings/#default-configuration-of-pages
These are the affected areas of the back office:
Search in the dropdown
Search autocomplete
User name in Creator filter (Trash and Search) and Reviewer input
Content type filter in search
Keyword field type
Relation list field type
Embed and embed inline in the Rich Text editor
Translation modal - language dropdown -> from the content tree
Categories/Tags tag view select
Submission in the form
Create product type - attribute name
Catalog - Code filter
Catalog - Product lists - product name
Generate variant - attribute input
Targeting block in Page Builder
Code block in Page Builder (see important notes above)
Product collection block in Page Builder
Site factory form - Domain name field
Site factory form - Language field
Dashboard - Products by category block
Discounts promotion label/description in the storefront
Shipments list
Product - eCommerce tab in Price management (v3.x Ibexa Commerce)
Have you found a security bug in Ibexa DXP? See how to report it responsibly here: https://doc.ibexa.co/en/latest/infrastructure_and_maintenance/security/reporting_issues/
