GHSA-9jp8-cwwx-p64q – ezsystems/ezplatform-admin-ui

Package

Manager: composer
Name: ezsystems/ezplatform-admin-ui
Vulnerable Version: >=1.5.0 <1.5.25.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

XSS in richtext custom tag attributes in ezsystems/ezplatform-richtext The rich text editor does not escape attribute data when previewing custom tags. This means XSS is possible if custom tags are used, for users who have access to editing rich text content. Frontend content view is not affected, but the vulnerability could be used by editors to attack other editors. The fix ensures custom tag attribute data is escaped in the editor.

Metadata

Created: 2021-12-01T18:28:38Z
Modified: 2021-11-29T20:55:01Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-9jp8-cwwx-p64q/GHSA-9jp8-cwwx-p64q.json
CWE IDs: []
Alternative ID: N/A
Finding: F008
Auto approve: 1