Home > Vulnerability Database > CVE-2024-43369

Mend.io Vulnerability Database

CVE-2024-43369

Good to know:

Date: August 15, 2024

Ibexa RichText Field Type is a Field Type for supporting rich formatted text stored in a structured XML format. In versions on the 4.6 branch prior to 4.6.10, the validator for the RichText fieldtype blocklists `javascript:` and `vbscript:` in links to prevent XSS. This can leave other options open, and the check can be circumvented using upper case. Content editing permissions for RichText content is required to exploit this vulnerability, which typically means Editor role or higher. The fix implements an allowlist instead, which allows only approved link protocols. The new check is case insensitive. Version 4.6.10 contains a patch for this issue. No known workarounds are available.

Language: PHP

Severity Score

7.2

Related Resources (14)

Url: https://github.com/ezsystems/ezplatform-richtext

Url: https://github.com/ezsystems/ezplatform-richtext/commit/dbe816f3ff4c903cc508dfdcdca8791c8284d292

Url: https://github.com/ezsystems/ezplatform-richtext/commit/8b75c603dfd1ad6f6f3db15ae2324876683cbaf9

Url: https://github.com/ezsystems/ezplatform-richtext/commit/2c652915625c47b493a2be06924f4c87d1df7d8e

Url: https://github.com/ibexa/fieldtype-richtext/security/advisories/GHSA-hvcf-6324-cjh7

Url: https://github.com/ezsystems/ezplatform-richtext/security/advisories/GHSA-rhm7-7469-rcpw

Url: https://developers.ibexa.co/security-advisories/ibexa-sa-2024-005-persistent-xss-in-richtext

Url: https://github.com/ibexa/fieldtype-richtext/commit/59e9c1a9da60597f60cf7338bf289dccaa7e27ca

Url: https://github.com/ezsystems/ezplatform-richtext/commit/7bbc6d024c6146d1e1ba84d27a3ebffe9459613e

Url: https://github.com/ibexa/fieldtype-richtext/commit/0a3b830e8806d5169f697351fdc48ffd95a25c67

Url: https://github.com/ibexa/fieldtype-richtext

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-43369

Url: https://github.com/ezsystems/ezplatform-richtext/commit/6131975108fa9756e17043e7a06a4e72f786f842

Url: https://www.mend.io/vulnerability-database/CVE-2024-43369

Severity Score

7.2

Weakness Type (CWE)

Cross-Site Scripting (XSS)

CWE-79

Top Fix

Upgrade Version

Upgrade to version ibexa/fieldtype-richtext-v4.6.10

Learn More

CVSS v3.1

Base Score:	7.2
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-43369

Good to know:

Date: August 15, 2024

Language: PHP

Severity Score

Related Resources (14)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?