GHSA-gc5h-6jx9-q2qh: 
PHP vulnerability analysis and mitigation

The Ibexa Admin UI Bundle (ezsystems/ezplatform-admin-ui) contains a DOM-based Cross-site Scripting (XSS) vulnerability in its file upload widget, identified as CVE-2024-39318. The vulnerability affects versions 3.3. and 4.6. of the software and was discovered on July 31, 2024. The vulnerability was responsibly reported by security researcher Alec Romano (Ibexa Advisory).

The vulnerability is a DOM-based XSS that exists in the file upload widget where filenames containing malicious payloads are not properly escaped. The issue has been assigned a CVSS v4.0 score of 4.8 (Moderate severity) with the following vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N. The vulnerability is classified as CWE-79: Cross-site Scripting (GitHub Advisory).

The vulnerability allows for XSS attacks through specially crafted filenames. While the impact is limited by the requirement for authentication and user interaction, successful exploitation could lead to execution of malicious scripts in the context of the authenticated user's session. The XSS is not persistent and only executes during the file upload process (Ibexa Advisory).

The vulnerability has been patched in versions 3.3.39 of ezsystems/ezplatform-admin-ui and 4.6.9 of ibexa/admin-ui. The fix ensures proper escaping of XSS payloads in filenames. Users are advised to upgrade to these patched versions as no workarounds are available (Ibexa Advisory).