Publication date:
Severity:
Affected versions: Ibexa DXP v3.3.* (ezsystems/ezplatform-admin-ui-assets v5.3.*)
Resolving versions: Ibexa DXP v3.3.33 (ezsystems/ezplatform-admin-ui-assets v5.3.4)
26/05/2023, 11:42
Severity:
Medium
Affected versions: Ibexa DXP v3.3.* (ezsystems/ezplatform-admin-ui-assets v5.3.*)
Resolving versions: Ibexa DXP v3.3.33 (ezsystems/ezplatform-admin-ui-assets v5.3.4)
This security advisory resolves a vulnerability in the 3rd party Moment.js dependency. Before version 2.29.2 of that package it was vulnerable to a path traversal attack. It is not known if this affected Ibexa DXP. The update resolves the issue.
This advisory notice is severely delayed due to unfortunate circumstances. We apologise for the delay. The update has been available since v3.3.33 was released. Other branches are not affected.
Have you found a security bug in Ibexa DXP? See how to report it responsibly here: https://doc.ibexa.co/en/latest/guide/reporting_issues/
