N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-2jqj-5qv2-xvcg

EPSS Score

CWE

CWE-611

Published

4/10/2025

Updated

4/10/2025

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-2jqj-5qv2-xvcg

GHSA-2jqj-5qv2-xvcg: ezsystems/ezplatform-richtext allows access to external entities in XML

Impact

This security advisory resolves a vulnerability in the RichText field type. By entering a maliciously crafted input into the RichText XML, an attacker could perform an attack using XML external entity (XXE) injection, which might be able to read files on the server. To exploit this vulnerability the attacker would need to already have edit permission to content with RichText fields, which typically means Editor role or higher. The fix removes unsafe elements from XML code, while preserving safe elements.

If you have a stored XXE attack in your content drafts, the fix prevents it from extracting data both during editing and preview. However, if such an attack has already been published and the result is stored in the content, it is unfortunately not possible to detect and remove it by automatic means.

Credits

This vulnerability was discovered and reported to Ibexa by Dennis Henke, Thorsten Niephaus, Marat Aytuganov, and Stephan Sekula of Compass Security Deutschland GmbH. We thank them for reporting it responsibly to us.

Patches

See "Patched versions"
https://github.com/ezsystems/ezplatform-richtext/commit/5ba2a82cc3aa6235ecfe87278e20c1451d9df913

Workarounds

Exploitation requires edit access to RichText content. If you can trust your editors, and you don't grant edit permission to any externals, you are not at risk in practice.

References

https://developers.ibexa.co/security-advisories/ibexa-sa-2025-002-xxe-vulnerability-in-richtext

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-2jqj-5qv2-xvcg

GHSA-2jqj-5qv2-xvcg:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-2jqj-5qv2-xvcg

EPSS Score

CWE

CWE-611

Published

4/10/2025

Updated

4/10/2025

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
ezsystems/ezplatform-richtext	composer	>= 2.3.0-beta1, < 2.3.26	2.3.26

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is an XML External Entity (XXE) injection in the RichText field type. The provided commit (5ba2a82cc3aa6235ecfe87278e20c1451d9df913) shows changes primarily in src/lib/eZ/RichText/DOMDocumentFactory.php and the introduction of a new src/lib/RichText/XMLSanitizer.php.

The key change is within the DOMDocumentFactory::loadXMLString method. Before the patch, this method directly used loadXML with the LIBXML_NOENT flag on the user-supplied XML string. The LIBXML_NOENT flag instructs the XML parser to substitute entities, which is the entry point for XXE attacks if the XML is not properly sanitized. The patch introduces calls to XMLSanitizer::sanitizeXMLString and XMLSanitizer::convertCDATAToText before and after the loadXML call, respectively. This indicates that DOMDocumentFactory::loadXMLString was the function directly processing the malicious input and was vulnerable prior to these sanitization steps being added. The functions within XMLSanitizer are part of the mitigation, not the vulnerable functions themselves. The vulnerability existed in the loadXMLString method due to the lack of input sanitization before entity processing.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-2jqj-5qv2-xvcg: ezsystems/ezplatform-richtext allows access to external entities in XML

Impact

Credits

Patches

Workarounds

References

GHSA-2jqj-5qv2-xvcg:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

N/A

N/A

GHSA-2jqj-5qv2-xvcg: ezsystems/ezplatform-richtext allows access to external entities in XML

Impact

Credits

Patches

Workarounds

References

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI