-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| ibexa/admin-ui | composer | >= 5.0.0, < 5.0.3 | 5.0.3 |
| ibexa/admin-ui | composer | >= 4.6.0, < 4.6.25 | 4.6.25 |
Miggo AIRoot Cause AnalysisThe analysis began by examining the provided vulnerability information, which indicated XSS vulnerabilities in ibexa/admin-ui. The affected version ranges are >= 5.0.0, < 5.0.3 and >= 4.6.0, < 4.6.25. I identified the commits between the last vulnerable version and the first patched version for both ranges.
Within the commit history, two commits with security-related messages were found: da3bfbfbc47d322cf052b14bf609858b6ddee5c7 and 2016a6933e3f3c7aa0993613a099b6ad6cbc6b45.
Commit da3bfbfbc47d322cf052b14bf609858b6ddee5c7 titled "[Security] IBX-10200: Fix XSS in reschedule/cancel-schedule modal" modified src/bundle/Resources/public/js/scripts/fieldType/ezimageasset.js. The change replaced a call to .innerHTML with .innerText when setting an asset name. This is a classic XSS fix, preventing unsanitized input from being rendered as HTML. The vulnerable code is located in an anonymous event handler function.
Commit 2016a6933e3f3c7aa0993613a099b6ad6cbc6b45 titled "IBX-10286: Fix Multilevel Popup Menu XSS" modified src/bundle/Resources/public/js/scripts/core/multilevel.popup.menu.js. The patch added HTML escaping to the label and sublabel parameters within the _renderItem method of the MultilevelPopupMenu class. This prevents malicious input from being rendered as HTML in popup menus.
These two commits directly address the types of XSS vulnerabilities described in the advisory and are present in the patch releases for both affected version branches. The identified functions are therefore the locations where the vulnerabilities existed and were fixed.