GHSA-vhgq-r8gx-5fpv: 
PHP vulnerability analysis and mitigation

A series of XSS vulnerabilities were discovered in the back office of Ibexa DXP, identified as IBEXA-SA-2025-003 and GHSA-vhgq-r8gx-5fpv. The vulnerabilities affect multiple versions including Ibexa DXP v3.3. and v4.6. series. The issue was disclosed on June 11, 2025, primarily impacting the admin UI assets and various back-office components (GitHub Advisory, Ibexa Advisory).

The vulnerability has been assessed with a CVSS v4.0 score of 6.1 (Moderate severity) with the vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N. The vulnerability affects multiple components including search functionality, content type filters, keyword fields, relation list fields, rich text editor components, and various other back-office features (GitHub Advisory).

The XSS vulnerabilities are persistent and can be reflected in the front office, potentially affecting end users. The injected XSS could impact various areas of the back office, including search functionality, user interfaces, and content management systems. The Code Block in Page Builder is particularly notable as it's designed to accept any HTML, including embedded JavaScript, making it inherently vulnerable to XSS (Ibexa Advisory).

The vulnerabilities have been patched in Ibexa DXP v3.3.43 and v4.6.21. The fixes ensure XSS is escaped, and any existing injected XSS is rendered harmless. For the Code Block in Page Builder, which remains inherently vulnerable due to its design, administrators are advised to limit access to highly trusted editors only and can restrict access to specific blocks per content type (Ibexa Advisory).