Miggo Logo

CVE-2024-53864: Ibexa Admin UI vulnerable to Cross-site Scripting in a field that is used in the Content name pattern

5.3

CVSS Score
4.0

Basic Information

EPSS Score
0.45842%
Published
12/2/2024
Updated
12/2/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Package NameEcosystemVulnerable VersionsFirst Patched Version
ibexa/admin-uicomposer>= 4.6.0, < 4.6.144.6.14

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unsafe HTML injection via innerHTML in the getTextHeight function. The GitHub commit 8ec824a explicitly fixes this by changing innerHTML to innerText in tooltips.helper.js. This file is part of the content naming mechanism, and the CWE-79 classification confirms this is an XSS vulnerability caused by improper input neutralization during web page generation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** *ont*nt n*m* p*tt*rn is us** to *uil* *ont*nt n*m*s *rom on* or mor* *i*l*s. *n XSS vuln*r**ility **s ***n *oun* in t*is m****nism. *ont*nt **it p*rmission is r*quir** to *xploit it. **t*r t** *ix, *ny *xistin* inj**t** XSS will not ru

Reasoning

T** vuln*r**ility st*ms *rom uns*** *TML inj**tion vi* inn*r*TML in t** `**tT*xt**i**t` *un*tion. T** *it*u* *ommit ******* *xpli*itly *ix*s t*is *y ***n*in* inn*r*TML to inn*rT*xt in `tooltips.**lp*r.js`. T*is *il* is p*rt o* t** *ont*nt n*min* m***