GHSA-r7pm-mw8g-p7px: Ibexa eZ Platform Admin UI XSS vulnerabilities in back office

The vulnerability (GHSA-r7pm-mw8g-p7px) is a set of Cross-Site Scripting (XSS) issues in the Ibexa eZ Platform Admin UI. The provided patch (commit acaa620d4ef44e7c20908dc389d48064f2c19e6d) addresses these by ensuring that user-supplied data, specifically content type names (checkbox.dataset.name) and user names (user.TranslatedName), are properly escaped before being rendered as HTML content or HTML attributes.

The root cause was the direct use of potentially tainted data in HTML construction or via innerHTML assignments without prior sanitization. For example, in admin.search.filters.js and admin.trash.list.js, the createUsersListItem functions would construct HTML strings by concatenating user.TranslatedName directly. If an attacker could control this name (e.g., by editing a user profile with a malicious name), they could inject scripts. Similarly, filterByContentType used checkbox.dataset.name without escaping.

The functions filterByContentType, createUsersListItem, and showUsersList in both admin.search.filters.js and admin.trash.list.js were identified as vulnerable because they were involved in processing and rendering this data. The patch modifies these functions to use new helper functions (eZ.helpers.text.escapeHTML, eZ.helpers.text.escapeHTMLAttribute) to sanitize the data before it's incorporated into the DOM. The introduction of eZ.helpers.dom.dangerouslySetInnerHTML is a wrapper, and the security comes from sanitizing the input before calling it. These functions would appear in a runtime profile during the actions that trigger these UI components (e.g., searching, listing items in trash) if the XSS payload was triggered.