Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/228268?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/228268?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2017.12.3.2", "type": "composer", "namespace": "ezsystems", "name": "ezpublish-legacy", "version": "2017.12.3.2", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "2017.12.7.4", "latest_non_vulnerable_version": "2019.03.6", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/40404?format=api", "vulnerability_id": "VCID-2975-xhf4-ckcj", "summary": "Improper Access Control\nPasswordless login for LDAP users", "references": [ { "reference_url": "http://share.ez.no/community-project/security-advisories/ezsa-2018-005-passwordless-login-for-ldap-users", "reference_id": "", "reference_type": "", "scores": [], "url": "http://share.ez.no/community-project/security-advisories/ezsa-2018-005-passwordless-login-for-ldap-users" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/56944?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2017.12.4%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2017.12.4%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/56945?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2018.6.1%2B3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2018.6.1%252B3" }, { "url": "http://public2.vulnerablecode.io/api/packages/228273?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2018.06.1.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29ju-364n-qkch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2018.06.1.4" } ], "aliases": [ "GMS-2018-65" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2975-xhf4-ckcj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/41434?format=api", "vulnerability_id": "VCID-29ju-364n-qkch", "summary": "Content object state fetch functions open to SQL injection\n### Impact\nThis Security Update is about a vulnerability in eZ Publish Legacy. The content object state code could be vulnerable to SQL injection. There is no known exploit, but one might be possible. If you use Legacy in any way, we strongly recommend that you install this update as soon as possible.\n\n### Patches\nThe fix is distributed via Composer, see \"Patched versions\".", "references": [ { "reference_url": "https://developers.ibexa.co/security-advisories/ibexa-sa-2021-005-content-object-state-fetch-functions-open-to-sql-injection", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://developers.ibexa.co/security-advisories/ibexa-sa-2021-005-content-object-state-fetch-functions-open-to-sql-injection" }, { "reference_url": "https://github.com/ezsystems/ezpublish-legacy", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-legacy" }, { "reference_url": "https://github.com/ezsystems/ezpublish-legacy/commit/f8e3a97afd92efb9148134a4bacb35a875777a42", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-legacy/commit/f8e3a97afd92efb9148134a4bacb35a875777a42" }, { "reference_url": "https://github.com/advisories/GHSA-jpwx-ffjq-wr4w", "reference_id": "GHSA-jpwx-ffjq-wr4w", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-jpwx-ffjq-wr4w" }, { "reference_url": "https://github.com/ezsystems/ezpublish-legacy/security/advisories/GHSA-jpwx-ffjq-wr4w", "reference_id": "GHSA-jpwx-ffjq-wr4w", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-legacy/security/advisories/GHSA-jpwx-ffjq-wr4w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/534872?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2017.12.7.4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2017.12.7.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/58935?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2017.12.7%2B4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2017.12.7%252B4" }, { "url": "http://public2.vulnerablecode.io/api/packages/534880?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2019.03.6", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2019.03.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/58936?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2019.3.6%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2019.3.6%252B1" } ], "aliases": [ "GHSA-jpwx-ffjq-wr4w", "GMS-2021-112" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-29ju-364n-qkch" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54824?format=api", "vulnerability_id": "VCID-2adj-kpzr-eycv", "summary": "eZ Publish Legacy Cross-site Scripting (XSS) in 'disabled module' error template\nThis security advisory fixes a vulnerability in eZ Publish Legacy, and we recommend that you install it as soon as possible if you are using Legacy via the LegacyBridge.\n\nInstallations where all modules are disabled may be vulnerable to XSS injection in the module name. This is a rare configuration, but we still recommend installing the update, which adds the necessary input washing.\n\nTo install, use Composer to update to one of the \"Resolving versions\" mentioned above, or apply this patch manually:\nhttps://github.com/ezsystems/ezpublish-legacy/commit/4697bff700e8cf95d5847ea19dad3479a77b02d9", "references": [ { "reference_url": "https://github.com/ezsystems/ezpublish-legacy", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-legacy" }, { "reference_url": "https://github.com/ezsystems/ezpublish-legacy/commit/4697bff700e8cf95d5847ea19dad3479a77b02d9", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-legacy/commit/4697bff700e8cf95d5847ea19dad3479a77b02d9" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/ezsystems/ezpublish-legacy/2018-11-01-1.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/ezsystems/ezpublish-legacy/2018-11-01-1.yaml" }, { "reference_url": "http://share.ez.no/community-project/security-advisories/ezsa-2018-006-xss-vulnerability-in-disabled-module-error-template", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://share.ez.no/community-project/security-advisories/ezsa-2018-006-xss-vulnerability-in-disabled-module-error-template" }, { "reference_url": "https://web.archive.org/web/20210614172734/http://share.ez.no/community-project/security-advisories/ezsa-2018-006-xss-vulnerability-in-disabled-module-error-template", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://web.archive.org/web/20210614172734/http://share.ez.no/community-project/security-advisories/ezsa-2018-006-xss-vulnerability-in-disabled-module-error-template" }, { "reference_url": "https://github.com/advisories/GHSA-2vh3-cj9j-mcj5", "reference_id": "GHSA-2vh3-cj9j-mcj5", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2vh3-cj9j-mcj5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/56949?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2017.12.4%2B2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2017.12.4%252B2" }, { "url": "http://public2.vulnerablecode.io/api/packages/228782?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2017.12.4.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29ju-364n-qkch" }, { "vulnerability": "VCID-6cyy-uhhk-63aa" }, { "vulnerability": "VCID-eaqz-xw6f-6yeb" }, { "vulnerability": "VCID-f41r-p9hu-hyhx" }, { "vulnerability": "VCID-qymv-b76a-2yh2" }, { "vulnerability": "VCID-ukn1-91je-x7hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2017.12.4.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/56945?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2018.6.1%2B3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2018.6.1%252B3" }, { "url": "http://public2.vulnerablecode.io/api/packages/228783?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2018.06.1.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29ju-364n-qkch" }, { "vulnerability": "VCID-eaqz-xw6f-6yeb" }, { "vulnerability": "VCID-f41r-p9hu-hyhx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2018.06.1.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/81351?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2018.9.1%2B2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2018.9.1%252B2" }, { "url": "http://public2.vulnerablecode.io/api/packages/228784?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2018.09.1.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29ju-364n-qkch" }, { "vulnerability": "VCID-eaqz-xw6f-6yeb" }, { "vulnerability": "VCID-f41r-p9hu-hyhx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2018.09.1.2" } ], "aliases": [ "GHSA-2vh3-cj9j-mcj5" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2adj-kpzr-eycv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54856?format=api", "vulnerability_id": "VCID-6cyy-uhhk-63aa", "summary": "EZsystems Remote code execution in file uploads\nThis Security Advisory is about a vulnerability in the way eZ Platform and eZ Publish Legacy handles file uploads, which can in the worst case lead to remote code execution (RCE), a very serious threat. An attacker would need access to uploading files to be able to exploit the vulnerability, so if you have strict controls on this and trust all who have this permission, you're not affected. On the basis of the tests we have made, we also believe the vulnerability cannot be exploited as long as our recommended vhost configuration is used. Here is the v2.5 recommendation for Nginx, as an example:\n\nhttps://github.com/ezsystems/ezplatform/blob/2.5/doc/nginx/vhost.template#L31\n\nThis vhost template specifies that only the file app.php in the web root is executed, while vulnerable configurations allow execution of any php file. Apache is affected in the same way as Nginx, and is also protected by using the recommended configuration. The build-in webserver in PHP stays vulnerable, as it doesn't use this type of configuration (this webserver should only be used for development, never for production). We cannot be 100% certain our configuration is not vulnerable. We also do not know if all our users use the recommended configuration, so we send out this fix to be on the safe side.\n\nThe fix includes a blocklist feature for uploaded filenames, such as \".php\". The file types on the blocklist cannot be uploaded. The blocklist is configurable. In eZ Platform you will find it as ezsettings.default.io.file_storage.file_type_blocklist in eZ/Bundle/EzPublishCoreBundle/Resources/config/default_settings.yml in vendors/ezsystems/ezpublish-kernel. In eZ Publish Legacy you will find it as FileExtensionblocklist in settings/file.ini. By default it blocks these file types: php, php3, phar, phpt, pht, phtml, pgif. The fix also inclues a new block against path traversal attacks, though this kind of attack was not reproducible in our tests.", "references": [ { "reference_url": "https://ezplatform.com/security-advisories/ezsa-2020-001-remote-code-execution-in-file-uploads", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://ezplatform.com/security-advisories/ezsa-2020-001-remote-code-execution-in-file-uploads" }, { "reference_url": "https://github.com/ezsystems/ezpublish-legacy", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-legacy" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/ezsystems/ezpublish-legacy/2020-03-03-1.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/ezsystems/ezpublish-legacy/2020-03-03-1.yaml" }, { "reference_url": "https://github.com/advisories/GHSA-9895-26wr-4fgv", "reference_id": "GHSA-9895-26wr-4fgv", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9895-26wr-4fgv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/250600?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2017.12.7.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29ju-364n-qkch" }, { "vulnerability": "VCID-qymv-b76a-2yh2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2017.12.7.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/76946?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2017.12.7%2B2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2017.12.7%252B2" }, { "url": "http://public2.vulnerablecode.io/api/packages/250608?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2019.03.4.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29ju-364n-qkch" }, { "vulnerability": "VCID-qymv-b76a-2yh2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2019.03.4.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/76947?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2019.3.4%2B2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2019.3.4%252B2" } ], "aliases": [ "GHSA-9895-26wr-4fgv" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6cyy-uhhk-63aa" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/40467?format=api", "vulnerability_id": "VCID-eaqz-xw6f-6yeb", "summary": "EZSA-2018-009 Do not interpret PHP/PHAR uploads", "references": [ { "reference_url": "http://share.ez.no/community-project/security-advisories/ezsa-2018-009-do-not-interpret-php-phar-uploads", "reference_id": "", "reference_type": "", "scores": [], "url": "http://share.ez.no/community-project/security-advisories/ezsa-2018-009-do-not-interpret-php-phar-uploads" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/57078?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2017.12.4%2B3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2017.12.4%252B3" }, { "url": "http://public2.vulnerablecode.io/api/packages/228273?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2018.06.1.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29ju-364n-qkch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2018.06.1.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/56951?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2019.3.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6cyy-uhhk-63aa" }, { "vulnerability": "VCID-8zn2-ztg4-s3ex" }, { "vulnerability": "VCID-qymv-b76a-2yh2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2019.3.0" } ], "aliases": [ "GMS-2018-67" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-eaqz-xw6f-6yeb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54903?format=api", "vulnerability_id": "VCID-f41r-p9hu-hyhx", "summary": "Ez Platform and Legacy are prone to an insecure interpretation of PHP/PHAR uploads\nThe eZ Platform and Legacy are affected by an issue related to how uploaded PHP and PHAR files are handled, and consists of two parts: 1. Web server configuration, and 2. Disabling the PHAR stream wrapper.\n\n**1. WEB SERVER CONFIGURATION**\nThe sample web server configuration in our documentation can in some cases allow the execution of uploaded PHP/PHAR code. This can be abused to allow priviledge escalation and breach of content access controls, among other things. Please ensure that your web server will not execute files in directories were files may be uploaded, such as web/var/ and ezpublish_legacy/var/\n\nAs an example, here is how you can make Apache return HTTP 403 Forbidden for a number of executable file types in your eZ Platform var directory. Please adapt it to your needs. It is then possible to enable logging of HTTP 403 in a separate log file if you wish, you could do this to see if someone is trying to abuse the server.\n```\nRewriteEngine On", "references": [ { "reference_url": "https://github.com/ezsystems/ezplatform/commit/9a0c52dc4535e4b3ce379f80222dc53f705a2cfd", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezplatform/commit/9a0c52dc4535e4b3ce379f80222dc53f705a2cfd" }, { "reference_url": "https://github.com/ezsystems/ezpublish-legacy", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-legacy" }, { "reference_url": "https://github.com/ezsystems/ezpublish-legacy/commit/d21957bf202b091ab39dfb5be300f6c30be3933e", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-legacy/commit/d21957bf202b091ab39dfb5be300f6c30be3933e" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/ezsystems/ezpublish-legacy/2018-11-21-1.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/ezsystems/ezpublish-legacy/2018-11-21-1.yaml" }, { "reference_url": "http://share.ez.no/community-project/security-advisories/ezsa-2018-009-do-not-interpret-php-phar-uploads", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://share.ez.no/community-project/security-advisories/ezsa-2018-009-do-not-interpret-php-phar-uploads" }, { "reference_url": "https://web.archive.org/web/20210614192208/https://share.ez.no/community-project/security-advisories/ezsa-2018-009-do-not-interpret-php-phar-uploads", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://web.archive.org/web/20210614192208/https://share.ez.no/community-project/security-advisories/ezsa-2018-009-do-not-interpret-php-phar-uploads" }, { "reference_url": "https://github.com/advisories/GHSA-pqjm-xcp8-wgmm", "reference_id": "GHSA-pqjm-xcp8-wgmm", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-pqjm-xcp8-wgmm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/57078?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2017.12.4%2B3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2017.12.4%252B3" }, { "url": "http://public2.vulnerablecode.io/api/packages/250596?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2017.12.4.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29ju-364n-qkch" }, { "vulnerability": "VCID-6cyy-uhhk-63aa" }, { "vulnerability": "VCID-qymv-b76a-2yh2" }, { "vulnerability": "VCID-ukn1-91je-x7hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2017.12.4.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/56950?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2018.6.1%2B4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2018.6.1%252B4" }, { "url": "http://public2.vulnerablecode.io/api/packages/228273?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2018.06.1.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29ju-364n-qkch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2018.06.1.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/534873?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2018.09.1.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29ju-364n-qkch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2018.09.1.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/81440?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2018.9.1%2B3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2018.9.1%252B3" } ], "aliases": [ "GHSA-pqjm-xcp8-wgmm" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-f41r-p9hu-hyhx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54901?format=api", "vulnerability_id": "VCID-qymv-b76a-2yh2", "summary": "Ez Platform Object Injection in legacy shop module\nThis Security Advisory is about a vulnerability in the Legacy shop module. A backend editor could perform object injection in discount rules. This would require backend access and permission to edit discount rules. While object injection in itself is a serious vulnerability, the permission requirement means that normally only administrators would be able to exploit it, that's why it was classified as Medium severity.", "references": [ { "reference_url": "https://ezplatform.com/security-advisories/ibexa-sa-2020-006-object-injection-in-legacy-shop-module", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://ezplatform.com/security-advisories/ibexa-sa-2020-006-object-injection-in-legacy-shop-module" }, { "reference_url": "https://github.com/ezsystems/ezpublish-legacy", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-legacy" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/ezsystems/ezpublish-legacy/2020-10-05-1.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/ezsystems/ezpublish-legacy/2020-10-05-1.yaml" }, { "reference_url": "https://github.com/advisories/GHSA-39j2-4p9j-5w4j", "reference_id": "GHSA-39j2-4p9j-5w4j", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-39j2-4p9j-5w4j" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/534871?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2017.12.7.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29ju-364n-qkch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2017.12.7.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/58933?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2017.12.7%2B3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29ju-364n-qkch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2017.12.7%252B3" }, { "url": "http://public2.vulnerablecode.io/api/packages/534879?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2019.03.5.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29ju-364n-qkch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2019.03.5.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/58934?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2019.3.5%2B1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29ju-364n-qkch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2019.3.5%252B1" } ], "aliases": [ "GHSA-39j2-4p9j-5w4j" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qymv-b76a-2yh2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54912?format=api", "vulnerability_id": "VCID-rkq7-5cdy-k7d8", "summary": "eZ Publish Legacy Passwordless login for LDAP users\nThis security advisory fixes a vulnerability in eZ Publish Legacy, and we recommend that you install it as soon as possible if you are using Legacy.\n\nInstallations that are using the legacy LDAP login handler or the TextFile login handler in combination with the standard legacy login handler, may in rare cases be vulnerable to a failure of the standard login handler to verify passwords correctly, allowing unauthorised access.\n\nIf your installation has never used the LDAP or TextFile login handlers, or never used legacy login at all, then it is not affected. Still, we recommend installing the update, to be on the safe side.\n\nTo install, use Composer to update to one of the \"Resolving versions\" mentioned above, or apply this patch manually:\nhttps://github.com/ezsystems/ezpublish-legacy/commit/13f03a2be6c0ee4d0caaafaef05904ea9b0c4d9d", "references": [ { "reference_url": "https://github.com/ezsystems/ezpublish-legacy", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-legacy" }, { "reference_url": "https://github.com/ezsystems/ezpublish-legacy/commit/01930a95637389301f762be1439f726013e58aba", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-legacy/commit/01930a95637389301f762be1439f726013e58aba" }, { "reference_url": "https://github.com/ezsystems/ezpublish-legacy/pull/1394", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-legacy/pull/1394" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/ezsystems/ezpublish-legacy/2018-10-31-1.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/ezsystems/ezpublish-legacy/2018-10-31-1.yaml" }, { "reference_url": "https://issues.ibexa.co/browse/EZP-29703", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://issues.ibexa.co/browse/EZP-29703" }, { "reference_url": "https://web.archive.org/web/20201027063527/https://magento.com/security/news/new-zend-framework-1-security-vulnerability", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://web.archive.org/web/20201027063527/https://magento.com/security/news/new-zend-framework-1-security-vulnerability" }, { "reference_url": "https://web.archive.org/web/20210614184552/https://share.ez.no/community-project/security-advisories/ezsa-2018-005-passwordless-login-for-ldap-users", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://web.archive.org/web/20210614184552/https://share.ez.no/community-project/security-advisories/ezsa-2018-005-passwordless-login-for-ldap-users" }, { "reference_url": "https://github.com/advisories/GHSA-p9mp-vq4v-v5m5", "reference_id": "GHSA-p9mp-vq4v-v5m5", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p9mp-vq4v-v5m5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/56944?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2017.12.4%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2017.12.4%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/228279?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2017.12.4.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29ju-364n-qkch" }, { "vulnerability": "VCID-2adj-kpzr-eycv" }, { "vulnerability": "VCID-6cyy-uhhk-63aa" }, { "vulnerability": "VCID-eaqz-xw6f-6yeb" }, { "vulnerability": "VCID-f41r-p9hu-hyhx" }, { "vulnerability": "VCID-qymv-b76a-2yh2" }, { "vulnerability": "VCID-ufw5-emg4-cqd6" }, { "vulnerability": "VCID-ukn1-91je-x7hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2017.12.4.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/81448?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2018.6.1%2B2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2018.6.1%252B2" }, { "url": "http://public2.vulnerablecode.io/api/packages/228280?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2018.06.1.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29ju-364n-qkch" }, { "vulnerability": "VCID-2adj-kpzr-eycv" }, { "vulnerability": "VCID-eaqz-xw6f-6yeb" }, { "vulnerability": "VCID-f41r-p9hu-hyhx" }, { "vulnerability": "VCID-ufw5-emg4-cqd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2018.06.1.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/81447?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2018.9.1%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2018.9.1%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/228281?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2018.09.1.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29ju-364n-qkch" }, { "vulnerability": "VCID-2adj-kpzr-eycv" }, { "vulnerability": "VCID-eaqz-xw6f-6yeb" }, { "vulnerability": "VCID-f41r-p9hu-hyhx" }, { "vulnerability": "VCID-ufw5-emg4-cqd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2018.09.1.1" } ], "aliases": [ "GHSA-p9mp-vq4v-v5m5" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rkq7-5cdy-k7d8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/40407?format=api", "vulnerability_id": "VCID-ufw5-emg4-cqd6", "summary": "EZSA-2018-006 XSS vulnerability in 'disabled module' error template", "references": [ { "reference_url": "http://share.ez.no/community-project/security-advisories/ezsa-2018-006-xss-vulnerability-in-disabled-module-error-template", "reference_id": "", "reference_type": "", "scores": [], "url": "http://share.ez.no/community-project/security-advisories/ezsa-2018-006-xss-vulnerability-in-disabled-module-error-template" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/56949?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2017.12.4%2B2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2017.12.4%252B2" }, { "url": "http://public2.vulnerablecode.io/api/packages/56950?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2018.6.1%2B4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2018.6.1%252B4" }, { "url": "http://public2.vulnerablecode.io/api/packages/228273?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2018.06.1.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29ju-364n-qkch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2018.06.1.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/56951?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2019.3.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6cyy-uhhk-63aa" }, { "vulnerability": "VCID-8zn2-ztg4-s3ex" }, { "vulnerability": "VCID-qymv-b76a-2yh2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2019.3.0" } ], "aliases": [ "GMS-2018-66" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ufw5-emg4-cqd6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/52412?format=api", "vulnerability_id": "VCID-ukn1-91je-x7hw", "summary": "Unrestricted Upload of File with Dangerous Type\neZ Publish Legacy allow remote attackers to execute arbitrary code by uploading PHP code, unless the vhost configuration permits only `app.php` execution.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-10806", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02833", "scoring_system": "epss", "scoring_elements": "0.86454", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.02833", "scoring_system": "epss", "scoring_elements": "0.86477", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-10806" }, { "reference_url": "https://ezplatform.com/security-advisories/ezsa-2020-001-remote-code-execution-in-file-uploads", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://ezplatform.com/security-advisories/ezsa-2020-001-remote-code-execution-in-file-uploads" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10806", "reference_id": "CVE-2020-10806", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10806" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/250600?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2017.12.7.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29ju-364n-qkch" }, { "vulnerability": "VCID-qymv-b76a-2yh2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2017.12.7.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/76946?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2017.12.7%2B2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2017.12.7%252B2" }, { "url": "http://public2.vulnerablecode.io/api/packages/250608?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2019.03.4.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29ju-364n-qkch" }, { "vulnerability": "VCID-qymv-b76a-2yh2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2019.03.4.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/76947?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2019.3.4%2B2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2019.3.4%252B2" } ], "aliases": [ "CVE-2020-10806", "GHSA-54p5-gxq6-j98g" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ukn1-91je-x7hw" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2017.12.3.2" }