Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Persistent Cross-site Scripting in Ibexa RichText Field Type
Vulnerability Description
Ibexa RichText Field Type is a Field Type for supporting rich formatted text stored in a structured XML format. In versions on the 4.6 branch prior to 4.6.10, the validator for the RichText fieldtype blocklists `javascript:` and `vbscript:` in links to prevent XSS. This can leave other options open, and the check can be circumvented using upper case. Content editing permissions for RichText content is required to exploit this vulnerability, which typically means Editor role or higher. The fix implements an allowlist instead, which allows only approved link protocols. The new check is case insensitive. Version 4.6.10 contains a patch for this issue. No known workarounds are available.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Vulnerability Title
RichText Field Type 安全漏洞
Vulnerability Description
RichText Field Type是Ibexa开源的一个应用程序。 RichText Field Type 4.6.10之前版本存在安全漏洞,该漏洞源于RichText字段类型的验证器在链接中阻止了javascript:和vbscript:以防止跨站脚本攻击。然而,这种检查可以通过使用大写字母来绕过,从而留下其他选项开放。
CVSS Information
N/A
Vulnerability Type
N/A