GHSA-99c7-c3mw-mxhv: 
PHP vulnerability analysis and mitigation

A Cross-Site Scripting (XSS) vulnerability was discovered in ezsystems/ezplatform-admin-ui affecting versions >= 2.3.0 and < 2.3.39. The vulnerability was disclosed on October 17, 2025, and impacts multiple components of the Ibexa DXP back office, including image asset names, content language names, and future publishing functionality. The issue affects Ibexa DXP versions v3.3., v4.6., and v5.0.* across several repositories (GitHub Advisory, Ibexa Advisory).

The vulnerability is classified as Moderate severity with a CVSS score of 4.8. The CVSS v4 base metrics indicate a network-based attack vector with low complexity, requiring high privileges and passive user interaction. The vulnerability is categorized as CWE-79 (Improper Neutralization of Input During Web Page Generation). The technical assessment shows that while the vulnerable system has no direct confidentiality, integrity, or availability impact, there are low subsequent system impacts on both confidentiality and integrity (GitHub Advisory).

The XSS vulnerability is persistent and can potentially affect end users through front office reflection. The vulnerability requires back office access with editor or administrator-level permissions for exploitation. The impact extends across several areas of the back office, including product assets, image asset field type, content tags, acronym custom tags in Rich Text, content languages, and future publishing functionality (Ibexa Advisory).

The vulnerability has been patched in version 2.3.39 of ezsystems/ezplatform-admin-ui, and in Ibexa DXP versions v3.3.44, v4.6.25, and v5.0.3. The fixes ensure proper XSS escaping and render any existing injected XSS harmless. No workarounds are available, making it essential to upgrade to the patched versions (GitHub Advisory, Ibexa Advisory).