CVE-2024-43369

Name of the Vulnerable Software and Affected Versions Ibexa RichText Field Type versions prior to 4.6.10

Description The validator for the RichText fieldtype blocklists javascript: and vbscript: in links to prevent XSS, but this can be circumvented using upper case, leaving other options open. Content editing permissions for RichText content are required to exploit this issue, which typically means Editor role or higher. The fix implements an allowlist instead, which allows only approved link protocols, and the new check is case insensitive.

Recommendations For versions prior to 4.6.10, update to version 4.6.10 or later to resolve the issue. As a temporary workaround, consider restricting access to the RichText fieldtype until a patch is applied. Avoid using the javascript: and vbscript: protocols in links to minimize the risk of exploitation.