GHSA-r5rx-53g9-25rj: 
PHP vulnerability analysis and mitigation

A series of XSS vulnerabilities were discovered in the back office of Ibexa DXP, affecting multiple components including ezsystems/ezplatform-admin-ui-assets. The vulnerability was disclosed on June 12, 2025, with a high severity rating. The affected versions include Ibexa DXP v3.3. and v4.6., specifically impacting ezplatform-admin-ui-assets versions >= 5.3.0-beta1 and < 5.3.5 (GitHub Advisory, Ibexa Advisory).

The vulnerability received a CVSS v4.0 score of 6.1 (Moderate), with the vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N. The XSS vulnerabilities were found in multiple areas of the back office, including search functionality, content type filters, relation list field types, and various other components. The vulnerability requires network access and high privileges to exploit, but has low attack complexity (GitHub Advisory).

The XSS vulnerabilities could be exploited by users with back office access, typically requiring Editor or Administrator role permissions. The injected XSS is persistent and can be reflected in the front office, potentially affecting end users. The vulnerability could lead to high integrity impact on subsequent systems (Ibexa Advisory).

The vulnerabilities have been patched in version 5.3.5 of ezplatform-admin-ui-assets. The fixes ensure XSS is escaped, and any existing injected XSS is rendered harmless. For the Code Block in Page Builder, which necessarily remains vulnerable due to its design to accept any HTML, administrators should limit access to highly trusted editors only (Ibexa Advisory).