Severity:
Affected versions: Ibexa DXP v4.6.* and Ibexa DXP v5.0.*
Resolving versions: Ibexa DXP v4.6.30 and Ibexa DXP v5.0.8
This security advisory concerns three vulnerability fixes released together. These vulnerabilities range from medium to high severity. We strongly recommend applying the fixes as soon as possible if you are affected.
DXP vulnerabilities
- Formula injection in CSV files downloaded from Forms submissions. These can execute when opened in spreadsheet software.
- Logout via REST doesn't clear session data. Clients that keep using the same session cookie will remain logged in.
- When using SOLR with basic auth, the SOLR credentials can be sent to log output in case of exception messages.
Third-party vulnerabilities
For users of Ibexa DXP v4.6, if you use PHP 7.4 or 8.0, please beware that several vulnerabilities have been fixed in third-party dependencies, but fixes are only available for PHP 8.1 or newer. Since PHP 8.1 is also past its end of life, we strongly recomment upgrading to PHP 8.2 or newer, to get the fixes for these vulnerabilities when you run composer update. If you can't upgrade, you'll need to configure Composer to ignore these vulnerabilities. The upgrade documentation, when published, will explain how you can resolve or mitigate this issue:
https://doc.ibexa.co/en/4.6/update_and_migration/from_4.6/update_from_4.6/#v4630
Have you found a security bug in Ibexa DXP? See how to report it responsibly here: https://doc.ibexa.co/en/latest/infrastructure_and_maintenance/security/reporting_issues/
