Listen to this Post
The CVE-2025-45718 vulnerability is a persistent cross-site scripting (XSS) flaw within the Ibexa DXP’s Rich Text field type. The vulnerability exists in the handling of the custom ‘acronym’ tag. When a user with back-office editing privileges, such as an Editor or Administrator, inputs a malicious script into an acronym tag, the application fails to properly sanitize or escape the content before storing it in the database. This unsanitized input is then persistently stored. When the rich text content containing the malicious acronym is rendered, either in the back office for other privileged users or potentially on the front-end website, the embedded script executes in the victim’s browser context. This allows an attacker to perform actions on behalf of the victim, potentially hijacking their session or performing unauthorized administrative functions within the DXP platform.
Platform: Ibexa DXP
Version: 5.0.0-5.0.2
Vulnerability : Persistent XSS
Severity: Moderate
date: 2025-10-17
Prediction: Patch available
What Undercode Say:
`grep -r “acronym” src/`
`npm audit –production`
`composer update ibexa/fieldtype-richtext`
How Exploit:
`alert(‘XSS’)“>TEST`
Protection from this CVE:
Update to v5.0.3
Implement Content-Security-Policy
Sanitize user input
Impact:
Session Hijacking
Privilege Escalation
Data Theft
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
