Severity:
Affected versions: Ibexa DXP v4.6.* (ibexa/user v4.6.*, ibexa/share v4.6.*), and Ibexa DXP v5.0.* (ibexa/user v5.0.*, ibexa/share v5.0.*)
Resolving versions: Ibexa DXP v4.6.26 (ibexa/user v4.6.26, ibexa/share v4.6.26), and Ibexa DXP v5.0.4 (ibexa/user v5.0.4, ibexa/share v5.0.4)
This security advisory resolves two vulnerabilities in the back office.
The first vulnerability is in the password change dialog in the back office. During the transition from v4 to v5 a mistake was made in the validation code which caused the validation of the previous password to fail. This made it possible to change passwords in the back office without knowing the previous password. This affects only Ibexa DXP v5, not v4. The issue was reported to us by Code-Rhapsodie. We thank them for their responsible disclosure!
https://www.code-rhapsodie.fr/
The second vulnerability is an XSS issue in the share dialog of the back office, where insufficient filtering allowed users to enter javascript code. There is no indication that this would be stored and exposed to other users, so the risk appears limited. This affects both v5 and v4.
Back office access is required to encounter these vulnerabilities. This typically means Editor or Administrator role, or similar.
Have you found a security bug in Ibexa DXP? See how to report it responsibly here: https://doc.ibexa.co/en/latest/infrastructure_and_maintenance/security/reporting_issues/
