Severity:
Affected versions: Ibexa DXP v3.3.* (ezsystems/ezplatform-workflow v2.3.*, ezsystems/ezplatform-site-factory v1.3.*, ezsystems/ezplatform-form-builder v2.3.*, ezsystems/ezplatform-segmentation v1.1.*, ezsystems/ezplatform-admin-ui v2.3.*, ezsystems/ezplatform-admin-ui-assets v5.3.*, ezsystems/ezcommerce-shop v3.3.*), and Ibexa DXP v4.6.* (ibexa/product-catalog v4.6.*, ibexa/shipping v4.6.*, ibexa/content-tree v4.6.*, ibexa/workflow v4.6.*, ibexa/segmentation v4.6.*, ibexa/site-factory v4.6.*, ibexa/form-builder v4.6.*, ibexa/storefront v4.6.*, ibexa/admin-ui v4.6.*, ibexa/admin-ui-assets v4.6.*, ibexa/fieldtype-richtext v4.6.*, ibexa/taggify v1.2.*)
Resolving versions: Ibexa DXP v3.3.43 (ezsystems/ezplatform-workflow v2.3.20, ezsystems/ezplatform-site-factory v1.3.17, ezsystems/ezplatform-form-builder v2.3.20, ezsystems/ezplatform-segmentation v1.1.13, ezsystems/ezplatform-admin-ui v2.3.38, ezsystems/ezplatform-admin-ui-assets v5.3.5, ezsystems/ezcommerce-shop v3.3.27), and Ibexa DXP v4.6.21 (ibexa/product-catalog v4.6.21, ibexa/shipping v4.6.21, ibexa/content-tree v4.6.21, ibexa/workflow v4.6.21, ibexa/segmentation v4.6.21, ibexa/site-factory v4.6.21, ibexa/form-builder v4.6.21, ibexa/storefront v4.6.21, ibexa/admin-ui v4.6.21, ibexa/admin-ui-assets v4.6.21, ibexa/fieldtype-richtext v4.6.21, ibexa/taggify v1.2.2)
This security advisory resolves XSS vulnerabilities in several parts of the back office of the DXP. Back office access and varying levels of editing and management permissions are required to exploit these vulnerabilities. This typically means Editor or Administrator role, or similar. Injected XSS is persistent and can be reflected in the front office, possibly affecting end users. The fixes ensure XSS is escaped, and any existing injected XSS is rendered harmless.
The Code Block in Page Builder is a special case. It's designed to accept any HTML, which includes embedded JavaScript. This means that XSS necessarily remains possible in the Code Block. As site administrator you should be aware of this when giving editors access to the Page Builder features, and limit that access only to highly trusted editors. It is possible to limit access to specific blocks per content type, where you can define which page blocks are available to an editor. Please see the documentation:
https://doc.ibexa.co/projects/userguide/en/4.6/content_management/configure_ct_field_settings/#default-configuration-of-pages
These are the affected areas of the back office:
- Search in the dropdown
- Search autocomplete
- User name in Creator filter (Trash and Search) and Reviewer input
- Content type filter in search
- Keyword field type
- Relation list field type
- Embed and embed inline in the Rich Text editor
- Translation modal - language dropdown -> from the content tree
- Categories/Tags tag view select
- Submission in the form
- Create product type - attribute name
- Catalog - Code filter
- Catalog - Product lists - product name
- Generate variant - attribute input
- Targeting block in Page Builder
- Code block in Page Builder (see important notes above)
- Product collection block in Page Builder
- Site factory form - Domain name field
- Site factory form - Language field
- Dashboard - Products by category block
- Discounts promotion label/description in the storefront
- Shipments list
- Product - eCommerce tab in Price management (v3.x Ibexa Commerce)
Have you found a security bug in Ibexa DXP? See how to report it responsibly here: https://doc.ibexa.co/en/latest/infrastructure_and_maintenance/security/reporting_issues/