GHSA-cj3w-g42v-wcj6

Source

https://github.com/advisories/GHSA-cj3w-g42v-wcj6

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-cj3w-g42v-wcj6/GHSA-cj3w-g42v-wcj6.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-cj3w-g42v-wcj6

Published

2025-04-10T12:26:50Z

Modified

2025-04-10T12:35:11.828619Z

Severity

7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

ibexa/fieldtype-richtext allows access to external entities in XML

Details

Impact

This security advisory resolves a vulnerability in the RichText field type. By entering a maliciously crafted input into the RichText XML, an attacker could perform an attack using XML external entity (XXE) injection, which might be able to read files on the server. To exploit this vulnerability the attacker would need to already have edit permission to content with RichText fields, which typically means Editor role or higher. The fix removes unsafe elements from XML code, while preserving safe elements.

If you have a stored XXE attack in your content drafts, the fix prevents it from extracting data both during editing and preview. However, if such an attack has already been published and the result is stored in the content, it is unfortunately not possible to detect and remove it by automatic means.

Credits

This vulnerability was discovered and reported to Ibexa by Dennis Henke, Thorsten Niephaus, Marat Aytuganov, and Stephan Sekula of Compass Security Deutschland GmbH. We thank them for reporting it responsibly to us.

Patches

See "Patched versions"
https://github.com/ibexa/fieldtype-richtext/commit/823cba6b5ee2e81d7d74e622ce42c1451e8e1337

Workarounds

Exploitation requires edit access to RichText content. If you can trust your editors, and you don't grant edit permission to any externals, you are not at risk in practice.

References

https://developers.ibexa.co/security-advisories/ibexa-sa-2025-002-xxe-vulnerability-in-richtext

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-611"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-10T12:26:50Z"
}

References

Affected packages

Packagist / ibexa/fieldtype-richtext

Package

Name: ibexa/fieldtype-richtext
Purl: pkg:composer/ibexa/fieldtype-richtext

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.6.0-beta1

Fixed

4.6.19

Affected versions

v4.*

v4.6.0-beta1

v4.6.0-beta2

v4.6.0-beta3

v4.6.0-beta4

v4.6.0-beta5

v4.6.0-rc1

v4.6.0

v4.6.1

v4.6.2

v4.6.3

v4.6.4

v4.6.5

v4.6.6

v4.6.7

v4.6.8

v4.6.9

v4.6.10

v4.6.11

v4.6.12

v4.6.13

v4.6.14

v4.6.15

v4.6.16

v4.6.17

v4.6.18