CVE-2024-43369 HIGH

CVE-2024-43369: Persistent Cross-site Scripting in Ibexa RichText Field Type

Vendor Ibexa
Product fieldtype-richtext
Weakness CWE-79 · XSS
Published August 15, 2024
Last update August 16, 2024
View on NVD All CVEs

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Ibexa RichText Field Type is a Field Type for supporting rich formatted text stored in a structured XML format. In versions on the 4.6 branch prior to 4.6.10, the validator for the RichText fieldtype blocklists `javascript:` and `vbscript:` in links to prevent XSS. This can leave other options open, and the check can be circumvented using upper case. Content editing permissions for RichText content is required to exploit this vulnerability, which typically means Editor role or higher. The fix implements an allowlist instead, which allows only approved link protocols. The new check is case insensitive. Version 4.6.10 contains a patch for this issue. No known workarounds are available.

Key dates

02Disclosure timeline

August 15, 2024 CVE published
August 16, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-5588 Image Editor by Pixo <= 2.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via download Parameter CVE-2021-24539 Coming Soon, Under Construction & Maintenance Mode By Dazzler < 1.6.7 - Admin+ Stored Cross-Site Scripting CVE-2019-18249 CVE-2025-39488 WordPress MagOne theme <= 8.8 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2024-1697 Custom WooCommerce Checkout Fields Editor <= 1.3.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting