GHSA-9jp8-cwwx-p64q: 
PHP vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability was discovered in ezsystems/ezplatform-richtext and ezsystems/ezplatform-admin-ui, identified as GHSA-9jp8-cwwx-p64q. The vulnerability was published on November 25, 2021, affecting versions v2.3. of ezplatform-richtext and v1.5. of ezplatform-admin-ui. The issue was specifically related to the rich text editor's handling of custom tag attributes (GitHub Advisory, Ibexa Advisory).

The vulnerability stems from the rich text editor's failure to properly escape attribute data when previewing custom tags. This security flaw affects Ibexa DXP v3.3 and eZ Platform v2.5. The issue was addressed in the patched versions ezsystems/ezplatform-richtext v2.3.7.1 and ezsystems/ezplatform-admin-ui v1.5.25.1 (Ibexa Advisory).

While the frontend content view remains unaffected, the vulnerability could be exploited by editors to launch attacks against other editors who have access to rich text content editing capabilities. The security issue is specifically contained within the editor preview functionality (GitHub Advisory).

The vulnerability has been fixed by ensuring custom tag attribute data is properly escaped in the editor. Users are advised to upgrade to the patched versions: ezsystems/ezplatform-richtext v2.3.7.1 or ezsystems/ezplatform-admin-ui v1.5.25.1 (Ibexa Advisory).