#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product:  Ibexa DXP CMS
# Vendor:   Ibexa GmbH
# CSNC ID:  CSNC-2025-001
# CVE ID:   TBD
# Subject:  DOM Cross-Site Scripting
# Risk:     Medium
# Effect:   Remotely exploitable
# Author:   Stephan Sekula <stephan.sekula@compass-security.com>
# Date:     08.01.2025
#
#############################################################

Introduction
------------
Ibexa DXP software empowers businesses to offer their customers
industry-leading online experiences. With a focus on delivering effective
content, offering personalized customer journeys, and facilitating
multi-channel purchases and customer service, our digital experience software
revolutionizes B2B sales, helping you grow your revenue. [1]

Compass Security discovered a security flaw in Ibexa DXP CMS, 
which allows an attacker with content edit permissions to impersonate users and
steal user data.


Affected
--------

Vulnerable:
 * All versions before v4.6.14

Not vulnerable:
 * All versions from v4.6.14

Not tested:
-

 
Technical Description
---------------------
The content name field can be manipulated to execute arbitrary JavaScript code.

The following function from ibexa-admin-ui-layout-js.js uses the user-controlled
parameter e as innerHTML of t, which is then added to the document body:
_ = function(e) {
var a = e.dataset.originalTitle
, t = e.getBoundingClientRect()
, o = t.width
, d = t.height
, s = getComputedStyle(e)
, r = function(e, a) {
var t = i.createElement("div");
for (var o in t.innerHTML = e,
a)
t.style[o] = a[o];
i.body.appendChild(t);
var d = t.getBoundingClientRect().height;
return i.body.removeChild(t),
d
}


Workaround / Fix
----------------
User-controlled data should not be inserted into the DOM using insecure
functions such as innerHTML.

Update to the most recent version of Ibexa DXP CMS.


Timeline
--------
2024-12-20:     Discovery by Stephan Sekula
2024-12-20:     Initial vendor notification
2024-12-20:     Initial vendor response
2025-04-14:     Release of fixed Version / Patch
2025-04-14:     Coordinated public disclosure date


References
----------
[1] https://www.ibexa.co/products/overview