eZ Platform Admin UI vulnerable to DOM-based Cross-site Scripting in file upload widget
Moderate severity
GitHub Reviewed
Published
Jul 31, 2024
in
ezsystems/ezplatform-admin-ui
•
Updated Aug 2, 2024
Package
Affected versions
>= 3.3.0, < 3.3.39
Patched versions
3.3.39
Description
Published to the GitHub Advisory Database
Jul 31, 2024
Reviewed
Jul 31, 2024
Last updated
Aug 2, 2024
Impact
The file upload widget is vulnerable to XSS payloads in filenames. Access permission to upload files is required. As such, in most cases only authenticated editors and administrators will have the required permission. It is not persistent, i.e. the payload is only executed during the upload. In effect, an attacker will have to trick an editor/administrator into uploading a strangely named file. The fix ensures XSS is escaped.
Patches
See "Patched versions". Commit: ezsystems/ezplatform-admin-ui@7a9f991
Workarounds
None.
References
Credit
This vulnerability was discovered and reported to Ibexa by Alec Romano: https://github.com/4rdr
We thank them for reporting it responsibly to us.
How to report security issues:
https://doc.ibexa.co/en/latest/infrastructure_and_maintenance/security/reporting_issues/
References