GHSA-99c7-c3mw-mxhv: 
PHP vulnerability analysis and mitigation

A Cross-Site Scripting (XSS) vulnerability was discovered in ezsystems/ezplatform-admin-ui affecting versions 2.3.0 through 2.3.38. The vulnerability was disclosed on October 17, 2025, and primarily affects the Cancel/Reschedule future publication modal in the back office of the DXP platform. The issue impacts image asset names, content language names, and future publishing functionalities (GitHub Advisory, Ibexa Advisory).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) with a CVSS v4 score of 4.8 (Moderate severity). The technical root cause was identified in the EzImageAsset._updatePreview function within src/bundle/Resources/public/js/scripts/fieldType/ezimageasset.js, where the code was using innerHTML instead of innerText for rendering content names, allowing potential script execution (GitHub Advisory).

The vulnerability allows for persistent XSS attacks that could affect both back office users and potentially end users through front office reflection. Exploitation requires back office access with editor or administrator-level permissions. The vulnerability can lead to unauthorized script execution and potential data exposure (Miggo Analysis, Ibexa Advisory).

The vulnerability has been patched in version 2.3.39 of ezsystems/ezplatform-admin-ui. The fix involves replacing innerHTML with innerText to ensure proper escaping of XSS content. No workarounds are available, and users are advised to upgrade to the patched version (GitHub Advisory, Ibexa Advisory).