Ibexa eZ Platform Admin UI XSS vulnerabilities in back office

Impact

This security advisory is a part of IBEXA-SA-2025-003, which resolves XSS vulnerabilities in several parts of the back office of Ibexa DXP. Back office access and varying levels of editing and management permissions are required to exploit these vulnerabilities. This typically means Editor or Administrator role, or similar. Injected XSS is persistent and can be reflected in the front office, possibly affecting end users. The fixes ensure XSS is escaped, and any existing injected XSS is rendered harmless.

Patches

See "Patched versions".
https://github.com/ezsystems/ezplatform-admin-ui/commit/acaa620d4ef44e7c20908dc389d48064f2c19e6d

Workarounds

None.

Published: Jun 13, 2025
Updated: Jun 14, 2025
GHSA: GHSA-r7pm-mw8g-p7px
Severity: Medium
Exploit:

No technical information available.

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
ezsystems / ezplatform-admin-ui	2.3.0-beta1	2.3.38

Vulnerability Database

289,871

Ibexa eZ Platform Admin UI XSS vulnerabilities in back office

Impact

Patches

Workarounds