GHSA-8w3p-gf85-qcch

Suggest an improvement
Source
https://github.com/advisories/GHSA-8w3p-gf85-qcch
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-8w3p-gf85-qcch/GHSA-8w3p-gf85-qcch.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-8w3p-gf85-qcch
Aliases
  • CVE-2024-53864
Published
2024-12-02T18:34:45Z
Modified
2024-12-02T18:57:19.315148Z
Severity
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator
Summary
Ibexa Admin UI vulnerable to Cross-site Scripting in a field that is used in the Content name pattern
Details

Impact

The Content name pattern is used to build Content names from one or more fields. An XSS vulnerability has been found in this mechanism. Content edit permission is required to exploit it. After the fix, any existing injected XSS will not run.

Patches

  • See "Patched versions.
  • https://github.com/ibexa/admin-ui/commit/8ec824a8cf06c566ed88e4c21cc66f7ed42649fc

Workarounds

None.

References

  • Advisory: https://developers.ibexa.co/security-advisories/ibexa-sa-2024-006-vulnerabilities-in-content-name-pattern-commerce-shop-and-varnish-vhost-templates
  • Release notes: https://doc.ibexa.co/en/latest/updateandmigration/from4.6/updatefrom_4.6/#v4614
Database specific 
{
    "nvd_published_at": "2024-11-29T19:15:09Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-02T18:34:45Z"
}
References

Affected packages

Packagist / ibexa/admin-ui

Package

Name
ibexa/admin-ui
Purl
pkg:composer/ibexa/admin-ui

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.6.0
Fixed
4.6.14

Affected versions

v4.*

v4.6.0
v4.6.1
v4.6.2
v4.6.3
v4.6.4
v4.6.5
v4.6.6
v4.6.7
v4.6.8
v4.6.9
v4.6.10
v4.6.11
v4.6.12
v4.6.13