GHSA-5r6x-g6jv-4v87

Source

https://github.com/advisories/GHSA-5r6x-g6jv-4v87

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-5r6x-g6jv-4v87/GHSA-5r6x-g6jv-4v87.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-5r6x-g6jv-4v87

Published

2025-06-13T14:50:44Z

Modified

2025-06-13T15:48:27.115120Z

Severity

6.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N CVSS Calculator

Summary

Ibexa Admin UI XSS vulnerabilities in back office

Details

Impact

This security advisory is a part of IBEXA-SA-2025-003, which resolves XSS vulnerabilities in several parts of the back office of Ibexa DXP. Back office access and varying levels of editing and management permissions are required to exploit these vulnerabilities. This typically means Editor or Administrator role, or similar. Injected XSS is persistent and can be reflected in the front office, possibly affecting end users. The fixes ensure XSS is escaped, and any existing injected XSS is rendered harmless.

Patches

See "Patched versions".
https://github.com/ibexa/admin-ui/commit/72a64d90d249e5f4c4a5e8238f5d627c9b68d9b8

Workarounds

None.

Database specific

{
    "github_reviewed": true,
    "nvd_published_at": null,
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-79"
    ],
    "github_reviewed_at": "2025-06-13T14:50:44Z"
}

References

Affected packages

Packagist / ibexa/admin-ui

Package

Name: ibexa/admin-ui
Purl: pkg:composer/ibexa/admin-ui

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.6.0-beta1

Fixed

4.6.21

Affected versions

v4.*

v4.6.0-beta1

v4.6.0-beta2

v4.6.0-beta3

v4.6.0-beta4

v4.6.0-beta5

v4.6.0-rc1

v4.6.0

v4.6.1

v4.6.2

v4.6.3

v4.6.4

v4.6.5

v4.6.6

v4.6.7

v4.6.8

v4.6.9

v4.6.10

v4.6.11

v4.6.12

v4.6.13

v4.6.14

v4.6.15

v4.6.16

v4.6.17

v4.6.18

v4.6.19

v4.6.20