Skip to content

ibexa/admin-ui vulnerable to Cross-site Scripting in content type name/shortname

Critical severity GitHub Reviewed Published Nov 10, 2022 in ibexa/admin-ui • Updated Jan 7, 2023

Package

composer ibexa/admin-ui (Composer)

Affected versions

>= 4.2.0, < 4.2.3

Patched versions

4.2.3

Description

Critical severity. It is possible to inject JavaScript XSS in the content type entries "name" and "short name". To exploit this, one must already have permission to edit content types, which limits it in many cases to people who are already administrators. However, please verify which users have this permission. The fix ensures any injections are escaped.

References

@glye glye published to ibexa/admin-ui Nov 10, 2022
Published to the GitHub Advisory Database Nov 10, 2022
Reviewed Nov 10, 2022
Last updated Jan 7, 2023

Severity

Critical

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-7644-cxp8-h23r

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.