High severity7.2NVD Advisory· Published Aug 16, 2024· Updated Apr 15, 2026
CVE-2024-43369
CVE-2024-43369
Description
Ibexa RichText Field Type is a Field Type for supporting rich formatted text stored in a structured XML format. In versions on the 4.6 branch prior to 4.6.10, the validator for the RichText fieldtype blocklists javascript: and vbscript: in links to prevent XSS. This can leave other options open, and the check can be circumvented using upper case. Content editing permissions for RichText content is required to exploit this vulnerability, which typically means Editor role or higher. The fix implements an allowlist instead, which allows only approved link protocols. The new check is case insensitive. Version 4.6.10 contains a patch for this issue. No known workarounds are available.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ibexa/fieldtype-richtextPackagist | >= 4.6.0, < 4.6.10 | 4.6.10 |
Patches
20a3b830e8806Merge branch '2.3' into 4.6
3 files changed · +6 −5
src/bundle/Resources/richtext/schemas/docbook/docbook.iso.sch+2 −1 modified@@ -260,8 +260,9 @@ starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'ezlocation://') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'ezremote://') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'ezurl://') or + starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), '/') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), '#')" - mode="schematron-get-full-path-2">links must start with one of: http://, https://, mailto:, ezcontent://, ezlocation://, ezremote://, ezurl://, #</s:assert> + mode="schematron-get-full-path-2">links must start with one of: http://, https://, mailto:, ezcontent://, ezlocation://, ezremote://, ezurl://, /, #</s:assert> <s:assert test="not(contains(@*[name()='xlink:href'], '<') or contains(@*[name()='xlink:href'], '>') or contains(@*[name()='xlink:href'], '"'))"
src/bundle/Resources/richtext/schemas/docbook/docbook.iso.sch.xsl+1 −1 modified@@ -79,7 +79,7 @@ <axsl:template match="db:link" priority="1000" mode="M3"><svrl:fired-rule xmlns:svrl="http://purl.oclc.org/dsdl/svrl" context="db:link"/> <!--ASSERT --> -<axsl:choose><axsl:when test="starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'http://') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'https://') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'mailto:') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'ezcontent://') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'ezlocation://') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'ezremote://') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'ezurl://') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), '#')"/><axsl:otherwise><svrl:failed-assert xmlns:svrl="http://purl.oclc.org/dsdl/svrl" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:schold="http://www.ascc.net/xml/schematron" test="starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'http://') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'https://') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'mailto:') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'ezcontent://') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'ezlocation://') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'ezremote://') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'ezurl://') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), '#')"><axsl:attribute name="location"><axsl:apply-templates select="." mode="schematron-get-full-path-2"/></axsl:attribute><svrl:text>links must start with one of: http://, https://, mailto:, ezcontent://, ezlocation://, ezremote://, ezurl://, #</svrl:text></svrl:failed-assert></axsl:otherwise></axsl:choose> +<axsl:choose><axsl:when test="starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'http://') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'https://') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'mailto:') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'ezcontent://') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'ezlocation://') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'ezremote://') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'ezurl://') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), '/') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), '#')"/><axsl:otherwise><svrl:failed-assert xmlns:svrl="http://purl.oclc.org/dsdl/svrl" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:schold="http://www.ascc.net/xml/schematron" test="starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'http://') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'https://') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'mailto:') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'ezcontent://') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'ezlocation://') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'ezremote://') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'ezurl://') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), '/') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), '#')"><axsl:attribute name="location"><axsl:apply-templates select="." mode="schematron-get-full-path-2"/></axsl:attribute><svrl:text>links must start with one of: http://, https://, mailto:, ezcontent://, ezlocation://, ezremote://, ezurl://, /, #</svrl:text></svrl:failed-assert></axsl:otherwise></axsl:choose> <!--ASSERT --> <axsl:choose><axsl:when test="not(contains(@*[name()='xlink:href'], '<') or contains(@*[name()='xlink:href'], '>') or contains(@*[name()='xlink:href'], '"'))"/><axsl:otherwise><svrl:failed-assert xmlns:svrl="http://purl.oclc.org/dsdl/svrl" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:schold="http://www.ascc.net/xml/schematron" test="not(contains(@*[name()='xlink:href'], '<') or contains(@*[name()='xlink:href'], '>') or contains(@*[name()='xlink:href'], '"'))"><axsl:attribute name="location"><axsl:apply-templates select="." mode="schematron-get-full-path-2"/></axsl:attribute><svrl:text>using characters [< > "] in links is not allowed</svrl:text></svrl:failed-assert></axsl:otherwise></axsl:choose><axsl:apply-templates select="*|comment()|processing-instruction()" mode="M3"/></axsl:template><axsl:template match="text()" priority="-1" mode="M3"/><axsl:template match="@*|node()" priority="-2" mode="M3"><axsl:apply-templates select="*|comment()|processing-instruction()" mode="M3"/></axsl:template></axsl:stylesheet>
tests/lib/FieldType/RichTextTest.php+3 −3 modified@@ -229,7 +229,7 @@ public function providerForTestValidate() [ new ValidationError( "Validation of XML content failed:\n" . - '/section/para/link: links must start with one of: http://, https://, mailto:, ezcontent://, ezlocation://, ezremote://, ezurl://, #', + '/section/para/link: links must start with one of: http://, https://, mailto:, ezcontent://, ezlocation://, ezremote://, ezurl://, /, #', null, [], 'xml' @@ -244,7 +244,7 @@ public function providerForTestValidate() [ new ValidationError( "Validation of XML content failed:\n" . - '/section/para/link: links must start with one of: http://, https://, mailto:, ezcontent://, ezlocation://, ezremote://, ezurl://, #', + '/section/para/link: links must start with one of: http://, https://, mailto:, ezcontent://, ezlocation://, ezremote://, ezurl://, /, #', null, [], 'xml' @@ -274,7 +274,7 @@ public function providerForTestValidate() [ new ValidationError( "Validation of XML content failed:\n" . - '/section/para/link: links must start with one of: http://, https://, mailto:, ezcontent://, ezlocation://, ezremote://, ezurl://, #', + '/section/para/link: links must start with one of: http://, https://, mailto:, ezcontent://, ezlocation://, ezremote://, ezurl://, /, #', null, [], 'xml'
59e9c1a9da60Merge branch '2.3' into 4.6
3 files changed · +7 −5
src/bundle/Resources/richtext/schemas/docbook/docbook.iso.sch+3 −1 modified@@ -258,8 +258,10 @@ starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'mailto:') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'ezcontent://') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'ezlocation://') or + starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'ezremote://') or + starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'ezurl://') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), '#')" - mode="schematron-get-full-path-2">links must start with one of: http://, https://, mailto:, ezcontent://, ezlocation://, #</s:assert> + mode="schematron-get-full-path-2">links must start with one of: http://, https://, mailto:, ezcontent://, ezlocation://, ezremote://, ezurl://, #</s:assert> <s:assert test="not(contains(@*[name()='xlink:href'], '<') or contains(@*[name()='xlink:href'], '>') or contains(@*[name()='xlink:href'], '"'))"
src/bundle/Resources/richtext/schemas/docbook/docbook.iso.sch.xsl+1 −1 modified@@ -79,7 +79,7 @@ <axsl:template match="db:link" priority="1000" mode="M3"><svrl:fired-rule xmlns:svrl="http://purl.oclc.org/dsdl/svrl" context="db:link"/> <!--ASSERT --> -<axsl:choose><axsl:when test="starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'http://') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'https://') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'mailto:') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'ezcontent://') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'ezlocation://') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), '#')"/><axsl:otherwise><svrl:failed-assert xmlns:svrl="http://purl.oclc.org/dsdl/svrl" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:schold="http://www.ascc.net/xml/schematron" test="starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'http://') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'https://') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'mailto:') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'ezcontent://') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'ezlocation://') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), '#')"><axsl:attribute name="location"><axsl:apply-templates select="." mode="schematron-get-full-path-2"/></axsl:attribute><svrl:text>links must start with one of: http://, https://, mailto:, ezcontent://, ezlocation://, #</svrl:text></svrl:failed-assert></axsl:otherwise></axsl:choose> +<axsl:choose><axsl:when test="starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'http://') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'https://') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'mailto:') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'ezcontent://') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'ezlocation://') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'ezremote://') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'ezurl://') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), '#')"/><axsl:otherwise><svrl:failed-assert xmlns:svrl="http://purl.oclc.org/dsdl/svrl" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:schold="http://www.ascc.net/xml/schematron" test="starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'http://') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'https://') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'mailto:') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'ezcontent://') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'ezlocation://') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'ezremote://') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), 'ezurl://') or starts-with(translate(@*[name()='xlink:href'], $upperCase, $lowerCase), '#')"><axsl:attribute name="location"><axsl:apply-templates select="." mode="schematron-get-full-path-2"/></axsl:attribute><svrl:text>links must start with one of: http://, https://, mailto:, ezcontent://, ezlocation://, ezremote://, ezurl://, #</svrl:text></svrl:failed-assert></axsl:otherwise></axsl:choose> <!--ASSERT --> <axsl:choose><axsl:when test="not(contains(@*[name()='xlink:href'], '<') or contains(@*[name()='xlink:href'], '>') or contains(@*[name()='xlink:href'], '"'))"/><axsl:otherwise><svrl:failed-assert xmlns:svrl="http://purl.oclc.org/dsdl/svrl" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:schold="http://www.ascc.net/xml/schematron" test="not(contains(@*[name()='xlink:href'], '<') or contains(@*[name()='xlink:href'], '>') or contains(@*[name()='xlink:href'], '"'))"><axsl:attribute name="location"><axsl:apply-templates select="." mode="schematron-get-full-path-2"/></axsl:attribute><svrl:text>using characters [< > "] in links is not allowed</svrl:text></svrl:failed-assert></axsl:otherwise></axsl:choose><axsl:apply-templates select="*|comment()|processing-instruction()" mode="M3"/></axsl:template><axsl:template match="text()" priority="-1" mode="M3"/><axsl:template match="@*|node()" priority="-2" mode="M3"><axsl:apply-templates select="*|comment()|processing-instruction()" mode="M3"/></axsl:template></axsl:stylesheet>
tests/lib/FieldType/RichTextTest.php+3 −3 modified@@ -229,7 +229,7 @@ public function providerForTestValidate() [ new ValidationError( "Validation of XML content failed:\n" . - '/section/para/link: links must start with one of: http://, https://, mailto:, ezcontent://, ezlocation://, #', + '/section/para/link: links must start with one of: http://, https://, mailto:, ezcontent://, ezlocation://, ezremote://, ezurl://, #', null, [], 'xml' @@ -244,7 +244,7 @@ public function providerForTestValidate() [ new ValidationError( "Validation of XML content failed:\n" . - '/section/para/link: links must start with one of: http://, https://, mailto:, ezcontent://, ezlocation://, #', + '/section/para/link: links must start with one of: http://, https://, mailto:, ezcontent://, ezlocation://, ezremote://, ezurl://, #', null, [], 'xml' @@ -274,7 +274,7 @@ public function providerForTestValidate() [ new ValidationError( "Validation of XML content failed:\n" . - '/section/para/link: links must start with one of: http://, https://, mailto:, ezcontent://, ezlocation://, #', + '/section/para/link: links must start with one of: http://, https://, mailto:, ezcontent://, ezlocation://, ezremote://, ezurl://, #', null, [], 'xml'
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-hvcf-6324-cjh7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-43369ghsaADVISORY
- developers.ibexa.co/security-advisories/ibexa-sa-2024-005-persistent-xss-in-richtextnvdWEB
- github.com/ezsystems/ezplatform-richtext/security/advisories/GHSA-rhm7-7469-rcpwnvdWEB
- github.com/ibexa/fieldtype-richtext/commit/0a3b830e8806d5169f697351fdc48ffd95a25c67nvdWEB
- github.com/ibexa/fieldtype-richtext/commit/59e9c1a9da60597f60cf7338bf289dccaa7e27canvdWEB
- github.com/ibexa/fieldtype-richtext/security/advisories/GHSA-hvcf-6324-cjh7nvdWEB
News mentions
0No linked articles in our index yet.