ibexa/admin-ui vulnerable to Cross-site Scripting in content type name/shortname

Published: Nov 10, 2022
Updated: Apr 14, 2023
GHSA: <a href="https://github.com/advisories/GHSA-7644-cxp8-h23r" target="_blank" rel="noopener"> GHSA-7644-cxp8-h23r
Severity: Critical
Exploit:

Critical severity. It is possible to inject JavaScript XSS in the content type entries "name" and "short name". To exploit this, one must already have permission to edit content types, which limits it in many cases to people who are already administrators. However, please verify which users have this permission. The fix ensures any injections are escaped.