GHSA-fxwm-rx68-p5vx

Опубликовано: 01 дек. 2021

Источник: github

Github: Прошло ревью

Описание

XSS in richtext custom tag attributes in ezsystems/ezplatform-richtext

The rich text editor does not escape attribute data when previewing custom tags. This means XSS is possible if custom tags are used, for users who have access to editing rich text content. Frontend content view is not affected, but the vulnerability could be used by editors to attack other editors. The fix ensures custom tag attribute data is escaped in the editor.

Ссылки

https://github.com/ezsystems/ezplatform-richtext/security/advisories/GHSA-fxwm-rx68-p5vx
https://github.com/ezsystems/ezplatform-richtext/commit/3cebfe2ae4c22e6590632a0ff71893854a16afc5
https://developers.ibexa.co/security-advisories/ibexa-sa-2021-010-xss-in-richtext-custom-tag-attributes

Пакеты

Наименование

ezsystems/ezplatform-richtext

composer

Затронутые версииВерсия исправления

>= 2.3.0, < 2.3.7.1

2.3.7.1

Дефекты

CWE-79

Дефекты

CWE-79