Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/216353?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/216353?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2017.10.1", "type": "composer", "namespace": "ezsystems", "name": "ezpublish-legacy", "version": "2017.10.1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "2017.12.7.4", "latest_non_vulnerable_version": "2019.03.6", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/40404?format=api", "vulnerability_id": "VCID-2975-xhf4-ckcj", "summary": "Improper Access Control\nPasswordless login for LDAP users", "references": [ { "reference_url": "http://share.ez.no/community-project/security-advisories/ezsa-2018-005-passwordless-login-for-ldap-users", "reference_id": "", "reference_type": "", "scores": [], "url": "http://share.ez.no/community-project/security-advisories/ezsa-2018-005-passwordless-login-for-ldap-users" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/56944?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2017.12.4%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2017.12.4%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/56945?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2018.6.1%2B3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2018.6.1%252B3" }, { "url": "http://public2.vulnerablecode.io/api/packages/228273?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2018.06.1.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29ju-364n-qkch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2018.06.1.4" } ], "aliases": [ "GMS-2018-65" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2975-xhf4-ckcj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/41434?format=api", "vulnerability_id": "VCID-29ju-364n-qkch", "summary": "Content object state fetch functions open to SQL injection\n### Impact\nThis Security Update is about a vulnerability in eZ Publish Legacy. The content object state code could be vulnerable to SQL injection. There is no known exploit, but one might be possible. If you use Legacy in any way, we strongly recommend that you install this update as soon as possible.\n\n### Patches\nThe fix is distributed via Composer, see \"Patched versions\".", "references": [ { "reference_url": "https://developers.ibexa.co/security-advisories/ibexa-sa-2021-005-content-object-state-fetch-functions-open-to-sql-injection", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://developers.ibexa.co/security-advisories/ibexa-sa-2021-005-content-object-state-fetch-functions-open-to-sql-injection" }, { "reference_url": "https://github.com/ezsystems/ezpublish-legacy", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-legacy" }, { "reference_url": "https://github.com/ezsystems/ezpublish-legacy/commit/f8e3a97afd92efb9148134a4bacb35a875777a42", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-legacy/commit/f8e3a97afd92efb9148134a4bacb35a875777a42" }, { "reference_url": "https://github.com/advisories/GHSA-jpwx-ffjq-wr4w", "reference_id": "GHSA-jpwx-ffjq-wr4w", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-jpwx-ffjq-wr4w" }, { "reference_url": "https://github.com/ezsystems/ezpublish-legacy/security/advisories/GHSA-jpwx-ffjq-wr4w", "reference_id": "GHSA-jpwx-ffjq-wr4w", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-legacy/security/advisories/GHSA-jpwx-ffjq-wr4w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/534872?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2017.12.7.4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2017.12.7.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/58935?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2017.12.7%2B4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2017.12.7%252B4" }, { "url": "http://public2.vulnerablecode.io/api/packages/534880?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2019.03.6", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2019.03.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/58936?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2019.3.6%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2019.3.6%252B1" } ], "aliases": [ "GHSA-jpwx-ffjq-wr4w", "GMS-2021-112" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-29ju-364n-qkch" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54824?format=api", "vulnerability_id": "VCID-2adj-kpzr-eycv", "summary": "eZ Publish Legacy Cross-site Scripting (XSS) in 'disabled module' error template\nThis security advisory fixes a vulnerability in eZ Publish Legacy, and we recommend that you install it as soon as possible if you are using Legacy via the LegacyBridge.\n\nInstallations where all modules are disabled may be vulnerable to XSS injection in the module name. This is a rare configuration, but we still recommend installing the update, which adds the necessary input washing.\n\nTo install, use Composer to update to one of the \"Resolving versions\" mentioned above, or apply this patch manually:\nhttps://github.com/ezsystems/ezpublish-legacy/commit/4697bff700e8cf95d5847ea19dad3479a77b02d9", "references": [ { "reference_url": "https://github.com/ezsystems/ezpublish-legacy", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-legacy" }, { "reference_url": "https://github.com/ezsystems/ezpublish-legacy/commit/4697bff700e8cf95d5847ea19dad3479a77b02d9", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-legacy/commit/4697bff700e8cf95d5847ea19dad3479a77b02d9" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/ezsystems/ezpublish-legacy/2018-11-01-1.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/ezsystems/ezpublish-legacy/2018-11-01-1.yaml" }, { "reference_url": "http://share.ez.no/community-project/security-advisories/ezsa-2018-006-xss-vulnerability-in-disabled-module-error-template", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://share.ez.no/community-project/security-advisories/ezsa-2018-006-xss-vulnerability-in-disabled-module-error-template" }, { "reference_url": "https://web.archive.org/web/20210614172734/http://share.ez.no/community-project/security-advisories/ezsa-2018-006-xss-vulnerability-in-disabled-module-error-template", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://web.archive.org/web/20210614172734/http://share.ez.no/community-project/security-advisories/ezsa-2018-006-xss-vulnerability-in-disabled-module-error-template" }, { "reference_url": "https://github.com/advisories/GHSA-2vh3-cj9j-mcj5", "reference_id": "GHSA-2vh3-cj9j-mcj5", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2vh3-cj9j-mcj5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/56949?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2017.12.4%2B2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2017.12.4%252B2" }, { "url": "http://public2.vulnerablecode.io/api/packages/228782?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2017.12.4.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29ju-364n-qkch" }, { "vulnerability": "VCID-6cyy-uhhk-63aa" }, { "vulnerability": "VCID-eaqz-xw6f-6yeb" }, { "vulnerability": "VCID-f41r-p9hu-hyhx" }, { "vulnerability": "VCID-qymv-b76a-2yh2" }, { "vulnerability": "VCID-ukn1-91je-x7hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2017.12.4.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/56945?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2018.6.1%2B3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2018.6.1%252B3" }, { "url": "http://public2.vulnerablecode.io/api/packages/228783?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2018.06.1.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29ju-364n-qkch" }, { "vulnerability": "VCID-eaqz-xw6f-6yeb" }, { "vulnerability": "VCID-f41r-p9hu-hyhx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2018.06.1.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/81351?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2018.9.1%2B2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2018.9.1%252B2" }, { "url": "http://public2.vulnerablecode.io/api/packages/228784?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2018.09.1.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29ju-364n-qkch" }, { "vulnerability": "VCID-eaqz-xw6f-6yeb" }, { "vulnerability": "VCID-f41r-p9hu-hyhx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2018.09.1.2" } ], "aliases": [ "GHSA-2vh3-cj9j-mcj5" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2adj-kpzr-eycv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54865?format=api", "vulnerability_id": "VCID-a651-ayct-2fa1", "summary": "eZ Publish Legacy Patch EZSA-2018-001 for Several vulnerabilities\nThis security advisory fixes 4 separate vulnerabilities in eZ Publish Legacy, and we recommend that you install it as soon as possible if you are using Legacy by itself or via the LegacyBridge.\n\nFirst, it increases the randomness, and thus the security, of the pseudo-random bytes used to generate a hash for the \"forgot password\" feature. This protects accounts against being taken over through attacks trying to predict the hash. If the increased randomness is not available in your PHP installation, it will now log a warning.\n\nSecond, it improves security of the information collector feature, by ensuring no collection emails will be sent from invalid manipulated forms.\n\nThird, it stops the possible leaking of the names of content objects that should not be readable for certain users, on installations where these users can create or edit XML text.\n\nFourth, it protects against cross-site scripting (XSS) in the Matrix data type, on installations where users are allowed to edit content classes / content types.\n\nWe recommend that you install the security update as soon as possible.\n\nTo install, use Composer to update to one of the \"Resolving versions\" mentioned above, or apply these patches manually:\n https://github.com/ezsystems/ezpublish-legacy/commit/917711eb7ffe2b52a3e9fe12505f6810a63696f7\n https://github.com/ezsystems/ezpublish-legacy/commit/6db0e6b7739481f27d954548388bd3f0ed2c6fdd\n https://github.com/ezsystems/ezpublish-legacy/commit/efcd2b61b15eaaf74e0ff28d6c723cf28e655dab\n https://github.com/ezsystems/ezpublish-legacy/commit/f9ffaf590b63b4f552142cfd4441afbbfb3f19b1", "references": [ { "reference_url": "https://github.com/ezsystems/ezpublish-legacy", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-legacy" }, { "reference_url": "https://github.com/ezsystems/ezpublish-legacy/commit/6db0e6b7739481f27d954548388bd3f0ed2c6fdd", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-legacy/commit/6db0e6b7739481f27d954548388bd3f0ed2c6fdd" }, { "reference_url": "https://github.com/ezsystems/ezpublish-legacy/commit/917711eb7ffe2b52a3e9fe12505f6810a63696f7", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-legacy/commit/917711eb7ffe2b52a3e9fe12505f6810a63696f7" }, { "reference_url": "https://github.com/ezsystems/ezpublish-legacy/commit/efcd2b61b15eaaf74e0ff28d6c723cf28e655dab", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-legacy/commit/efcd2b61b15eaaf74e0ff28d6c723cf28e655dab" }, { "reference_url": "https://github.com/ezsystems/ezpublish-legacy/commit/f9ffaf590b63b4f552142cfd4441afbbfb3f19b1", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-legacy/commit/f9ffaf590b63b4f552142cfd4441afbbfb3f19b1" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/ezsystems/ezpublish-legacy/2018-02-26-1.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/ezsystems/ezpublish-legacy/2018-02-26-1.yaml" }, { "reference_url": "https://web.archive.org/web/20210614192631/http://share.ez.no/community-project/security-advisories/ezsa-2018-001-several-vulnerabilities-in-forgot-password-information-collector-xml-text-and-matrix-field-type-features", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://web.archive.org/web/20210614192631/http://share.ez.no/community-project/security-advisories/ezsa-2018-001-several-vulnerabilities-in-forgot-password-information-collector-xml-text-and-matrix-field-type-features" }, { "reference_url": "https://github.com/advisories/GHSA-82rv-45pc-v28w", "reference_id": "GHSA-82rv-45pc-v28w", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-82rv-45pc-v28w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/55097?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2017.12.2%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2017.12.2%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/228264?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2017.12.2.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2975-xhf4-ckcj" }, { "vulnerability": "VCID-29ju-364n-qkch" }, { "vulnerability": "VCID-2adj-kpzr-eycv" }, { "vulnerability": "VCID-6cyy-uhhk-63aa" }, { "vulnerability": "VCID-eaqz-xw6f-6yeb" }, { "vulnerability": "VCID-f41r-p9hu-hyhx" }, { "vulnerability": "VCID-qymv-b76a-2yh2" }, { "vulnerability": "VCID-rkq7-5cdy-k7d8" }, { "vulnerability": "VCID-ufw5-emg4-cqd6" }, { "vulnerability": "VCID-ukn1-91je-x7hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2017.12.2.1" } ], "aliases": [ "GHSA-82rv-45pc-v28w" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-a651-ayct-2fa1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/39436?format=api", "vulnerability_id": "VCID-bmkb-zcyd-6kdk", "summary": "Cross-site Scripting\nSeveral vulnerabilities in Forgot password, Information collector, XML text, and Matrix field type features", "references": [ { "reference_url": "http://share.ez.no/community-project/security-advisories/ezsa-2018-001-several-vulnerabilities-in-forgot-password-information-collector-xml-text-and-matrix-field-type-features", "reference_id": "", "reference_type": "", "scores": [], "url": "http://share.ez.no/community-project/security-advisories/ezsa-2018-001-several-vulnerabilities-in-forgot-password-information-collector-xml-text-and-matrix-field-type-features" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/55097?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2017.12.2%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2017.12.2%252B1" } ], "aliases": [ "GMS-2018-64" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bmkb-zcyd-6kdk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/40467?format=api", "vulnerability_id": "VCID-eaqz-xw6f-6yeb", "summary": "EZSA-2018-009 Do not interpret PHP/PHAR uploads", "references": [ { "reference_url": "http://share.ez.no/community-project/security-advisories/ezsa-2018-009-do-not-interpret-php-phar-uploads", "reference_id": "", "reference_type": "", "scores": [], "url": "http://share.ez.no/community-project/security-advisories/ezsa-2018-009-do-not-interpret-php-phar-uploads" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/57078?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2017.12.4%2B3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2017.12.4%252B3" }, { "url": "http://public2.vulnerablecode.io/api/packages/228273?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2018.06.1.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29ju-364n-qkch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2018.06.1.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/56951?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2019.3.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6cyy-uhhk-63aa" }, { "vulnerability": "VCID-8zn2-ztg4-s3ex" }, { "vulnerability": "VCID-qymv-b76a-2yh2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2019.3.0" } ], "aliases": [ "GMS-2018-67" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-eaqz-xw6f-6yeb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54903?format=api", "vulnerability_id": "VCID-f41r-p9hu-hyhx", "summary": "Ez Platform and Legacy are prone to an insecure interpretation of PHP/PHAR uploads\nThe eZ Platform and Legacy are affected by an issue related to how uploaded PHP and PHAR files are handled, and consists of two parts: 1. Web server configuration, and 2. Disabling the PHAR stream wrapper.\n\n**1. WEB SERVER CONFIGURATION**\nThe sample web server configuration in our documentation can in some cases allow the execution of uploaded PHP/PHAR code. This can be abused to allow priviledge escalation and breach of content access controls, among other things. Please ensure that your web server will not execute files in directories were files may be uploaded, such as web/var/ and ezpublish_legacy/var/\n\nAs an example, here is how you can make Apache return HTTP 403 Forbidden for a number of executable file types in your eZ Platform var directory. Please adapt it to your needs. It is then possible to enable logging of HTTP 403 in a separate log file if you wish, you could do this to see if someone is trying to abuse the server.\n```\nRewriteEngine On", "references": [ { "reference_url": "https://github.com/ezsystems/ezplatform/commit/9a0c52dc4535e4b3ce379f80222dc53f705a2cfd", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezplatform/commit/9a0c52dc4535e4b3ce379f80222dc53f705a2cfd" }, { "reference_url": "https://github.com/ezsystems/ezpublish-legacy", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-legacy" }, { "reference_url": "https://github.com/ezsystems/ezpublish-legacy/commit/d21957bf202b091ab39dfb5be300f6c30be3933e", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-legacy/commit/d21957bf202b091ab39dfb5be300f6c30be3933e" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/ezsystems/ezpublish-legacy/2018-11-21-1.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/ezsystems/ezpublish-legacy/2018-11-21-1.yaml" }, { "reference_url": "http://share.ez.no/community-project/security-advisories/ezsa-2018-009-do-not-interpret-php-phar-uploads", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://share.ez.no/community-project/security-advisories/ezsa-2018-009-do-not-interpret-php-phar-uploads" }, { "reference_url": "https://web.archive.org/web/20210614192208/https://share.ez.no/community-project/security-advisories/ezsa-2018-009-do-not-interpret-php-phar-uploads", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://web.archive.org/web/20210614192208/https://share.ez.no/community-project/security-advisories/ezsa-2018-009-do-not-interpret-php-phar-uploads" }, { "reference_url": "https://github.com/advisories/GHSA-pqjm-xcp8-wgmm", "reference_id": "GHSA-pqjm-xcp8-wgmm", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-pqjm-xcp8-wgmm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/57078?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2017.12.4%2B3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2017.12.4%252B3" }, { "url": "http://public2.vulnerablecode.io/api/packages/250596?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2017.12.4.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29ju-364n-qkch" }, { "vulnerability": "VCID-6cyy-uhhk-63aa" }, { "vulnerability": "VCID-qymv-b76a-2yh2" }, { "vulnerability": "VCID-ukn1-91je-x7hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2017.12.4.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/56950?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2018.6.1%2B4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2018.6.1%252B4" }, { "url": "http://public2.vulnerablecode.io/api/packages/228273?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2018.06.1.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29ju-364n-qkch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2018.06.1.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/534873?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2018.09.1.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29ju-364n-qkch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2018.09.1.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/81440?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2018.9.1%2B3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2018.9.1%252B3" } ], "aliases": [ "GHSA-pqjm-xcp8-wgmm" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-f41r-p9hu-hyhx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54912?format=api", "vulnerability_id": "VCID-rkq7-5cdy-k7d8", "summary": "eZ Publish Legacy Passwordless login for LDAP users\nThis security advisory fixes a vulnerability in eZ Publish Legacy, and we recommend that you install it as soon as possible if you are using Legacy.\n\nInstallations that are using the legacy LDAP login handler or the TextFile login handler in combination with the standard legacy login handler, may in rare cases be vulnerable to a failure of the standard login handler to verify passwords correctly, allowing unauthorised access.\n\nIf your installation has never used the LDAP or TextFile login handlers, or never used legacy login at all, then it is not affected. Still, we recommend installing the update, to be on the safe side.\n\nTo install, use Composer to update to one of the \"Resolving versions\" mentioned above, or apply this patch manually:\nhttps://github.com/ezsystems/ezpublish-legacy/commit/13f03a2be6c0ee4d0caaafaef05904ea9b0c4d9d", "references": [ { "reference_url": "https://github.com/ezsystems/ezpublish-legacy", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-legacy" }, { "reference_url": "https://github.com/ezsystems/ezpublish-legacy/commit/01930a95637389301f762be1439f726013e58aba", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-legacy/commit/01930a95637389301f762be1439f726013e58aba" }, { "reference_url": "https://github.com/ezsystems/ezpublish-legacy/pull/1394", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-legacy/pull/1394" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/ezsystems/ezpublish-legacy/2018-10-31-1.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/ezsystems/ezpublish-legacy/2018-10-31-1.yaml" }, { "reference_url": "https://issues.ibexa.co/browse/EZP-29703", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://issues.ibexa.co/browse/EZP-29703" }, { "reference_url": "https://web.archive.org/web/20201027063527/https://magento.com/security/news/new-zend-framework-1-security-vulnerability", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://web.archive.org/web/20201027063527/https://magento.com/security/news/new-zend-framework-1-security-vulnerability" }, { "reference_url": "https://web.archive.org/web/20210614184552/https://share.ez.no/community-project/security-advisories/ezsa-2018-005-passwordless-login-for-ldap-users", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://web.archive.org/web/20210614184552/https://share.ez.no/community-project/security-advisories/ezsa-2018-005-passwordless-login-for-ldap-users" }, { "reference_url": "https://github.com/advisories/GHSA-p9mp-vq4v-v5m5", "reference_id": "GHSA-p9mp-vq4v-v5m5", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p9mp-vq4v-v5m5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/56944?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2017.12.4%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2017.12.4%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/228279?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2017.12.4.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29ju-364n-qkch" }, { "vulnerability": "VCID-2adj-kpzr-eycv" }, { "vulnerability": "VCID-6cyy-uhhk-63aa" }, { "vulnerability": "VCID-eaqz-xw6f-6yeb" }, { "vulnerability": "VCID-f41r-p9hu-hyhx" }, { "vulnerability": "VCID-qymv-b76a-2yh2" }, { "vulnerability": "VCID-ufw5-emg4-cqd6" }, { "vulnerability": "VCID-ukn1-91je-x7hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2017.12.4.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/81448?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2018.6.1%2B2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2018.6.1%252B2" }, { "url": "http://public2.vulnerablecode.io/api/packages/228280?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2018.06.1.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29ju-364n-qkch" }, { "vulnerability": "VCID-2adj-kpzr-eycv" }, { "vulnerability": "VCID-eaqz-xw6f-6yeb" }, { "vulnerability": "VCID-f41r-p9hu-hyhx" }, { "vulnerability": "VCID-ufw5-emg4-cqd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2018.06.1.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/81447?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2018.9.1%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2018.9.1%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/228281?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2018.09.1.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29ju-364n-qkch" }, { "vulnerability": "VCID-2adj-kpzr-eycv" }, { "vulnerability": "VCID-eaqz-xw6f-6yeb" }, { "vulnerability": "VCID-f41r-p9hu-hyhx" }, { "vulnerability": "VCID-ufw5-emg4-cqd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2018.09.1.1" } ], "aliases": [ "GHSA-p9mp-vq4v-v5m5" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rkq7-5cdy-k7d8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/40407?format=api", "vulnerability_id": "VCID-ufw5-emg4-cqd6", "summary": "EZSA-2018-006 XSS vulnerability in 'disabled module' error template", "references": [ { "reference_url": "http://share.ez.no/community-project/security-advisories/ezsa-2018-006-xss-vulnerability-in-disabled-module-error-template", "reference_id": "", "reference_type": "", "scores": [], "url": "http://share.ez.no/community-project/security-advisories/ezsa-2018-006-xss-vulnerability-in-disabled-module-error-template" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/56949?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2017.12.4%2B2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2017.12.4%252B2" }, { "url": "http://public2.vulnerablecode.io/api/packages/56950?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2018.6.1%2B4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2018.6.1%252B4" }, { "url": "http://public2.vulnerablecode.io/api/packages/228273?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2018.06.1.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29ju-364n-qkch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2018.06.1.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/56951?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2019.3.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6cyy-uhhk-63aa" }, { "vulnerability": "VCID-8zn2-ztg4-s3ex" }, { "vulnerability": "VCID-qymv-b76a-2yh2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2019.3.0" } ], "aliases": [ "GMS-2018-66" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ufw5-emg4-cqd6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/52412?format=api", "vulnerability_id": "VCID-ukn1-91je-x7hw", "summary": "Unrestricted Upload of File with Dangerous Type\neZ Publish Legacy allow remote attackers to execute arbitrary code by uploading PHP code, unless the vhost configuration permits only `app.php` execution.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-10806", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02833", "scoring_system": "epss", "scoring_elements": "0.86454", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.02833", "scoring_system": "epss", "scoring_elements": "0.86477", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-10806" }, { "reference_url": "https://ezplatform.com/security-advisories/ezsa-2020-001-remote-code-execution-in-file-uploads", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://ezplatform.com/security-advisories/ezsa-2020-001-remote-code-execution-in-file-uploads" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10806", "reference_id": "CVE-2020-10806", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10806" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/250600?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2017.12.7.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29ju-364n-qkch" }, { "vulnerability": "VCID-qymv-b76a-2yh2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2017.12.7.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/76946?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2017.12.7%2B2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2017.12.7%252B2" }, { "url": "http://public2.vulnerablecode.io/api/packages/250608?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2019.03.4.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29ju-364n-qkch" }, { "vulnerability": "VCID-qymv-b76a-2yh2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2019.03.4.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/76947?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2019.3.4%2B2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2019.3.4%252B2" } ], "aliases": [ "CVE-2020-10806", "GHSA-54p5-gxq6-j98g" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ukn1-91je-x7hw" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2017.10.1" }