Listen to this Post
The CVE-2025-22094 vulnerability is a persistent Cross-Site Scripting (XSS) flaw within the eZ Platform admin UI. It specifically affects the modal window used for canceling or rescheduling future content publications. The vulnerability arises because the application fails to properly sanitize user-supplied input in certain fields, such as image asset names and content language names, before rendering them in the back office interface. When an attacker with editor-level permissions or higher injects a malicious script into one of these fields, the script is stored in the database. This script is then executed in the victim’s browser when the administrative user views the affected modal or, in some cases, when the data is reflected on the frontend. The exploit requires an authenticated session with specific content management privileges, as the attack vector is within the administrative back office. The patch resolves the issue by implementing proper context-aware output escaping, ensuring any HTML or JavaScript input is rendered as inert text rather than executable code.
Platform: eZ Platform
Version: 2.3.0 – 2.3.38
Vulnerability: Persistent XSS
Severity: Moderate
date: 2025-10-17
Prediction: 2025-10-24
What Undercode Say:
`curl -s https://developers.ibexa.co/security-advisories/ibexa-sa-2025-004-xss-and-enumeration-vulnerabilities-in-back-office | grep -i xss`
`composer show ezsystems/ezplatform-admin-ui | grep versions`
`npm audit –production`
How Exploit:
Malicious script injection into asset names or language fields by an authenticated user with editing permissions. The payload executes when an administrator loads the publication modal.
Protection from this CVE:
Upgrade to version 2.3.39. Implement strict Content Security Policy (CSP) headers. Sanitize all user-controlled data before rendering.
Impact:
Persistent XSS in admin interface, potential session hijacking, unauthorized admin actions, possible frontend user compromise.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
