Miggo Logo
Miggo Vulnerability Database
GHSA-99c7-c3mw-mxhv

GHSA-99c7-c3mw-mxhv: ezsystems/ezplatform-admin-ui has an XSS vulnerability in Cancel/Reschedule future publication modal

N/A

CVSS Score

Basic Information

CVE ID
-
GHSA ID
GHSA-99c7-c3mw-mxhv
EPSS Score
-
CWE
CWE-79
Published
10/17/2025
Updated
10/17/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
ezsystems/ezplatform-admin-uicomposer>= 2.3.0, < 2.3.392.3.39

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The analysis started by identifying the patched version for the vulnerability in the ezsystems/ezplatform-admin-ui package, which is 2.3.39. By comparing the tags for the patched version and the last vulnerable version (v2.3.38), I identified the commit da3bfbfbc47d322cf052b14bf609858b6ddee5c7 which has a message indicating it's a security fix: "[Security] IBX-10200: Fix XSS in reschedule/cancel-schedule modal".

Analyzing the changes in this commit revealed a critical modification in the file src/bundle/Resources/public/js/scripts/fieldType/ezimageasset.js. The code was changed from using assetNameContainer.innerHTML = destinationContentName; to assetNameContainer.innerText = destinationContentName;. This is a standard and effective mitigation for XSS vulnerabilities.

The vulnerable code was located within the _updatePreview method of the EzImageAsset class. This function is responsible for updating the preview of an image asset, and it was using the potentially malicious asset name (destinationContentName) to directly manipulate the DOM via innerHTML.

Therefore, the function EzImageAsset._updatePreview is identified as the vulnerable function. An attacker could exploit this by crafting a malicious image asset name, which would then be executed in the browser of a user viewing the asset preview in the back office.

Vulnerable functions

EzImageAsset._updatePreview
src/bundle/Resources/public/js/scripts/fieldType/ezimageasset.js
The function `_updatePreview` within the `EzImageAsset` class was using `innerHTML` to render the `destinationContentName`. This could allow an attacker with permissions to edit image asset names to inject malicious HTML and JavaScript, leading to a persistent Cross-site Scripting (XSS) vulnerability. The patch remediates this by replacing `innerHTML` with `innerText`, which treats the input as plain text and prevents script execution.

WAF Protection Rules

WAF Rule

### Imp**t T*is s**urity **visory r*solv*s *n XSS vuln*r**ility in im*** *ss*t n*m*s, *ont*nt l*n*u*** n*m*s *n* *utur* pu*lis*in* in t** ***k o**i** o* t** *XP. ***k o**i** ****ss *n* v*ryin* l*v*ls o* **itin* *n* m*n***m*nt p*rmissions *r* r*quir**

Reasoning

T** *n*lysis st*rt** *y i**nti*yin* t** p*t**** v*rsion *or t** vuln*r**ility in t** `*zsyst*ms/*zpl*t*orm-**min-ui` p**k***, w*i** is `*.*.**`. *y *omp*rin* t** t**s *or t** p*t**** v*rsion *n* t** l*st vuln*r**l* v*rsion (`v*.*.**`), I i**nti*i** t