CVE-2024-39318: 
PHP vulnerability analysis and mitigation

The Ibexa Admin UI Bundle contains a DOM-based Cross-Site Scripting (XSS) vulnerability in its file upload widget (CVE-2024-39318). The vulnerability was discovered by Alec Romano and disclosed on July 31, 2024. The issue affects Ibexa DXP v3.3. (ezsystems/ezplatform-admin-ui) and v4.6. (ibexa/admin-ui) versions (Ibexa Advisory, GitHub Advisory).

The vulnerability exists in the file upload widget where filenames containing XSS payloads are not properly escaped before being displayed in the interface. The issue has been assigned a CVSS v3.1 Base Score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (GitHub Advisory).

The vulnerability allows for XSS attacks through specially crafted filenames. However, the impact is limited as it requires authentication and user interaction. The XSS is not persistent, meaning the payload is only executed during the upload process. An attacker would need to convince an authenticated editor or administrator to upload a maliciously named file (Ibexa Advisory).

The vulnerability has been patched in Ibexa DXP versions v3.3.39 (ezsystems/ezplatform-admin-ui) and v4.6.9 (ibexa/admin-ui). The fix implements proper escaping of filenames using the escapeHTML helper function. No workarounds are available, and users are advised to upgrade to the patched versions (GitHub Commit).