GHSA-2JQJ-5QV2-XVCG
Vulnerability from github – Published: 2025-04-10 12:25 – Updated: 2025-04-10 12:26Impact
This security advisory resolves a vulnerability in the RichText field type. By entering a maliciously crafted input into the RichText XML, an attacker could perform an attack using XML external entity (XXE) injection, which might be able to read files on the server. To exploit this vulnerability the attacker would need to already have edit permission to content with RichText fields, which typically means Editor role or higher. The fix removes unsafe elements from XML code, while preserving safe elements.
If you have a stored XXE attack in your content drafts, the fix prevents it from extracting data both during editing and preview. However, if such an attack has already been published and the result is stored in the content, it is unfortunately not possible to detect and remove it by automatic means.
Credits
This vulnerability was discovered and reported to Ibexa by Dennis Henke, Thorsten Niephaus, Marat Aytuganov, and Stephan Sekula of Compass Security Deutschland GmbH. We thank them for reporting it responsibly to us.
Patches
- See "Patched versions"
- https://github.com/ezsystems/ezplatform-richtext/commit/5ba2a82cc3aa6235ecfe87278e20c1451d9df913
Workarounds
- Exploitation requires edit access to RichText content. If you can trust your editors, and you don't grant edit permission to any externals, you are not at risk in practice.
References
- https://developers.ibexa.co/security-advisories/ibexa-sa-2025-002-xxe-vulnerability-in-richtext
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "ezsystems/ezplatform-richtext"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0-beta1"
},
{
"fixed": "2.3.26"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-10T12:25:09Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\nThis security advisory resolves a vulnerability in the RichText field type. By entering a maliciously crafted input into the RichText XML, an attacker could perform an attack using XML external entity (XXE) injection, which might be able to read files on the server. To exploit this vulnerability the attacker would need to already have edit permission to content with RichText fields, which typically means Editor role or higher. The fix removes unsafe elements from XML code, while preserving safe elements.\n\nIf you have a stored XXE attack in your content drafts, the fix prevents it from extracting data both during editing and preview. However, if such an attack has already been published and the result is stored in the content, it is unfortunately not possible to detect and remove it by automatic means.\n\n### Credits\nThis vulnerability was discovered and reported to Ibexa by Dennis Henke, Thorsten Niephaus, Marat Aytuganov, and Stephan Sekula of [Compass Security Deutschland GmbH](https://www.compass-security.com/en/). We thank them for reporting it responsibly to us.\n\n### Patches\n- See \"Patched versions\"\n- https://github.com/ezsystems/ezplatform-richtext/commit/5ba2a82cc3aa6235ecfe87278e20c1451d9df913\n\n### Workarounds\n- Exploitation requires edit access to RichText content. If you can trust your editors, and you don\u0027t grant edit permission to any externals, you are not at risk in practice.\n\n### References\n- https://developers.ibexa.co/security-advisories/ibexa-sa-2025-002-xxe-vulnerability-in-richtext",
"id": "GHSA-2jqj-5qv2-xvcg",
"modified": "2025-04-10T12:26:44Z",
"published": "2025-04-10T12:25:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ezsystems/ezplatform-richtext/security/advisories/GHSA-2jqj-5qv2-xvcg"
},
{
"type": "WEB",
"url": "https://github.com/ezsystems/ezplatform-richtext/commit/5ba2a82cc3aa6235ecfe87278e20c1451d9df913"
},
{
"type": "WEB",
"url": "https://developers.ibexa.co/security-advisories/ibexa-sa-2025-002-xxe-vulnerability-in-richtext"
},
{
"type": "PACKAGE",
"url": "https://github.com/ezsystems/ezplatform-richtext"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "ezsystems/ezplatform-richtext allows access to external entities in XML"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.