Description

Ibexa RichText Field Type is a Field Type for supporting rich formatted text stored in a structured XML format. In versions on the 4.6 branch prior to 4.6.10, the validator for the RichText fieldtype blocklists `javascript:` and `vbscript:` in links to prevent XSS. This can leave other options open, and the check can be circumvented using upper case. Content editing permissions for RichText content is required to exploit this vulnerability, which typically means Editor role or higher. The fix implements an allowlist instead, which allows only approved link protocols. The new check is case insensitive. Version 4.6.10 contains a patch for this issue. No known workarounds are available.

INFO

Published Date :

2024-08-15T23:17:19.044Z

Last Modified :

2024-08-16T14:05:43.757Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-43369 vulnerability.

Vendors Products
Ibexa
  • Ezplatform-richtext
  • Fieldtype-richtext
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-43369.

URL Resource
https://developers.ibexa.co/security-advisories/ibexa-sa-2024-005-persistent-xss-in-richtext cve-icon cve-icon
https://github.com/ezsystems/ezplatform-richtext/security/advisories/GHSA-rhm7-7469-rcpw cve-icon cve-icon
https://github.com/ibexa/fieldtype-richtext/commit/0a3b830e8806d5169f697351fdc48ffd95a25c67 cve-icon cve-icon
https://github.com/ibexa/fieldtype-richtext/commit/59e9c1a9da60597f60cf7338bf289dccaa7e27ca cve-icon cve-icon
https://github.com/ibexa/fieldtype-richtext/security/advisories/GHSA-hvcf-6324-cjh7 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact