N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-5r6x-g6jv-4v87

EPSS Score

CWE

CWE-79

Published

6/13/2025

Updated

6/13/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-5r6x-g6jv-4v87

GHSA-5r6x-g6jv-4v87: Ibexa Admin UI XSS vulnerabilities in back office

Impact

This security advisory is a part of IBEXA-SA-2025-003, which resolves XSS vulnerabilities in several parts of the back office of Ibexa DXP. Back office access and varying levels of editing and management permissions are required to exploit these vulnerabilities. This typically means Editor or Administrator role, or similar. Injected XSS is persistent and can be reflected in the front office, possibly affecting end users. The fixes ensure XSS is escaped, and any existing injected XSS is rendered harmless.

Patches

See "Patched versions".
https://github.com/ibexa/admin-ui/commit/72a64d90d249e5f4c4a5e8238f5d627c9b68d9b8

Workarounds

None.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-5r6x-g6jv-4v87

EPSS Score

CWE

CWE-79

Published

6/13/2025

Updated

6/13/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
ibexa/admin-ui	composer	>= 4.6.0-beta1, < 4.6.21	4.6.21

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in multiple JavaScript components within the Ibexa Admin UI's back office where user-controllable data (such as item names, labels, search terms, content metadata) was incorporated into HTML strings or directly manipulated in the DOM without proper sanitization. This occurred typically through direct string concatenation into templates, direct assignment to innerHTML, or usage of insertAdjacentHTML with unescaped content. An attacker with sufficient permissions (e.g., Editor, Administrator) could inject malicious scripts (XSS) by crafting input that would then be rendered by these vulnerable functions. The injected XSS could be persistent and potentially affect front-office users.

The patches address these issues by consistently applying HTML escaping functions (e.g., escapeHTML for general content, escapeHTMLAttribute for attribute values) to sanitize the data before it's used in HTML contexts. Additionally, helper functions like dangerouslyInsertAdjacentHTML, dangerouslySetInnerHTML, and dangerouslyAppend are employed. These functions, when used correctly, signal that the input string is already sanitized or is intentionally HTML, thus making the code's intent clearer and safer when combined with prior escaping of dynamic data.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T*is s**urity **visory is * p*rt o* I**X*-S*-****-***, w*i** r*solv*s XSS vuln*r**iliti*s in s*v*r*l p*rts o* t** ***k o**i** o* I**x* *XP. ***k o**i** ****ss *n* v*ryin* l*v*ls o* **itin* *n* m*n***m*nt p*rmissions *r* r*quir** to *xploit

Reasoning

T** vuln*r**ility li*s in multipl* J*v*S*ript *ompon*nts wit*in t** I**x* **min UI's ***k o**i** w**r* us*r-*ontroll**l* **t* (su** *s it*m n*m*s, l***ls, s**r** t*rms, *ont*nt m*t***t*) w*s in*orpor*t** into *TML strin*s or *ir**tly m*nipul*t** in t

N/A

Basic Information

Concerned about an active attack path?

GHSA-5r6x-g6jv-4v87: Ibexa Admin UI XSS vulnerabilities in back office

Impact

Patches

Workarounds

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI