Hi there,

Thanks for contacting us. Sorry for the inconvenience. Will you please provide me the Joomla administrator access to check the issue? I will check & get back to you soon. 

Note: Please capture a screencast video about the full scenario.

-Thanks

Hello Toufiq, I've created a temporary admin account, you'll find the credentials in the hidden part of this message. Downgrading to 3.8.9 allowed me the make the requested changes, but updating back to 4.0.6 put the issue back on the plate. But this is not a valid solution. Updating via Joomla does not seem to work either, even though we do have a valid pro license.

Sorry! Administrator access doesn't work.

Username and password do not match or you do not have an account yet.

Ah. My bad, sorry. I've created the account on another affected site. Please find the link in the hidden content below.

I think your server blocked loading the page builder resources. That's why occurred the problem. I have checked your site from my localhost and it works fine.

https://prnt.sc/R3DTQr6WPDj5

what kind of ressources are loaded that are blocked by the server? Is there any kind of neccesary server configuration that should take place? Do you have installation requirements to use PageBuilder with the new Version?

Here the error - message from the server:

[Wed Nov 09 09:59:22.601971 2022] [:error] [pid 10968:tid 140272741639936] [client 213.135.240.236:58983] [client 213.135.240.236] ModSecurity: Access denied with code 403 (phase 2). detected XSS using libinjection. [file "/etc/apache2/modsecurity-crs/coreruleset-3.3.2/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "55"] [id "941100"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS:data.data.columns.columns.addons.addons.icon: <svg viewBox=\x220 0 32 32\x22 xmlns=\x22www.w3.org/2000/svg\x22><path d=\x22M18.631 30v-1.648h.517c.445 0 .86-.032 1.248-.094.39-.065.727-.197 1.012-.394.286-.196.516-.482.688-.851.172-.37.257-.862.257-1.477v-9.19H9.65v9.19c0 .614.085 1.105.256 1.477.172.369.401.655.688.851.286.199.625.328 1.02.394.395.063.807.095 1.24.095h.517V30H2v-1.647h.497c.444 0 .86-.032 1.249-.095a2.524 2.524 0 001.021-.394c.292-.198.52-..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "www.notaire-welbes.lu"] [uri "/index.php"] [unique_id "Y2tr6gepLWc9cMP7mtAZ4gAAUB4"], referer: https://www.notaire-welbes.lu/de/kontakt/edit/7

According to our hosts, this should be fixed within the programming of the plugin. We can turn off the mod-security blocking, but the website is then no longer protected against code injection attacks.

Can you check that and patch the vulnerabilities

I have checked from my hosting and it also works fine. Just disabled HTTPS.

I can deactivate the mod-security, but I think that would not be the best option, because of opening the possibility for XSS und code injection. Is there a way to fix that in you code?

I don't think it would be problem after disable mod_security.

Yes, sure, but it's a security hole which I don't want to fix on the server for all pages.

Is there another way to only use the page builder in the backend?

I have checked your site on my hosting and mod_security is enabled.

https://prnt.sc/zhNJpoaQAaFh

If you use the ssl certificate then disable the rocket_loader from your cloud flare.

Thank you for the tip, but that did not work for us. I turned the rocket_loader of in sec settings from cloudflare but the error still exists and we are still not able to use your template.

So my question will still be if you could change that in your code or if there is an option inside PB - Plugin to enable the "old layout" (IMHO the more intuitive and powerfull one)

Sorry, I have shown you that your site works fine on my testing server. I would request you to contact your hosting provider to unblock to load the Page Builder resources. You can share your site which is loaded on my server. Thanks

see hidden answer

I didn't tell youn to disable the mod_security. Even i shown you my hosting is enabled and it works fine.

that doesn't get us anywhere! We still get the error message when calling the page...

ModSecurity: Access denied with code 403 (phase 2).

I think this is clearly a ModSecurity issue. We don't want to turn it off... So I need a solution for that!

edit

Maybe you can you tell us what modsecurity version is used, what kind of rules and especially what excludes are configured . Otherwise we won't get any further!

You will get full information from this URL.

http://helix-framework.org/user/notaire/administrator/index.php?option=com_admin&view=sysinfo

This information is insufficient. It is specifically about the configuration of mod_secure....

kind of rules and what excludes are configured for mod_secure!