CVE-2021-46875

Name of the Vulnerable Software and Affected Versions eZ Platform Ibexa Kernel versions prior to 1.3.1.1

Description An issue allows JavaScript code to be uploaded in .html or .js files, leading to a potential XSS attack when links to these files are accessed. This can occur due to the ability to upload certain file types. The estimated number of potentially affected devices is not specified.

Recommendations For versions prior to 1.3.1.1, add common types of scriptable file types to the configuration of the existing filetype blacklist feature by modifying the ezsettings.default.io.file storage.file type blacklist setting. It is essential to adapt this setting according to specific needs and not add file types to the blacklist that are required for upload. Consider using an approval workflow for certain content types, such as SVG files, if they need to be uploaded.