Headline
GHSA-58h5-h554-429q: ezplatform-admin-ui vulnerable to Cross-Site Scripting (XSS)
It is possible to inject JavaScript XSS in the content type entries “name” and "short name". To exploit this, one must already have permission to edit content types, which limits it in many cases to people who are already administrators. However, please verify which users have this permission. The fix ensures any injections are escaped.
Package
composer ezsystems/ezplatform-admin-ui (Composer)
Affected versions
>= 2.3.0, < 2.3.26
Patched versions
2.3.26
Description
It is possible to inject JavaScript XSS in the content type entries “name” and "short name". To exploit this, one must already have permission to edit content types, which limits it in many cases to people who are already administrators. However, please verify which users have this permission. The fix ensures any injections are escaped.
References
- GHSA-58h5-h554-429q
- ezsystems/ezplatform-admin-ui@29e156a
- https://developers.ibexa.co/security-advisories/ibexa-sa-2022-009-critical-vulnerabilities-in-graphql-role-assignment-ct-editing-and-drafts-tooltips
glye published the maintainer security advisory
Nov 10, 2022