QwikSec

Security Database

CVE

CWE

Training

CVE-2024-39318

Published: Jul 31, 2024

Modified: Aug 1, 2024

PUBLISHED

CVSS v3.1

5.4

MEDIUM

Description

The Ibexa Admin UI Bundle contains all the necessary parts to run the Ibexa DXP Back Office interface. The file upload widget is vulnerable to XSS payloads in filenames. Access permission to upload files is required. As such, in most cases only authenticated editors and administrators will have the required permission. It is not persistent, i.e. the payload is only executed during the upload. In effect, an attacker will have to trick an editor/administrator into uploading a strangely named file.

Vendor	Product	Versions
ibexa	admin-ui	affected `>= 4.6.0-beta1, < 4.6.9`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

References

https://github.com/ibexa/admin-ui/security/advisories/GHSA-qm44-wjm2-pr59

x_refsource_CONFIRM

https://github.com/ezsystems/ezplatform-admin-ui/security/advisories/GHSA-gc5h-6jx9-q2qh

x_refsource_MISC

https://github.com/ezsystems/ezplatform-admin-ui/commit/7a9f991b200fa5a03d49cd07f50577c8bc90a30b

x_refsource_MISC

https://github.com/ibexa/admin-ui/commit/8dc413fad1045fcfbe65dbcb0bea8516accc4c3e

x_refsource_MISC

https://developers.ibexa.co/security-advisories/ibexa-sa-2024-004-dom-based-xss-in-file-upload

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.