Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/228784?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/228784?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2018.09.1.2", "type": "composer", "namespace": "ezsystems", "name": "ezpublish-legacy", "version": "2018.09.1.2", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "2019.03.6", "latest_non_vulnerable_version": "2019.03.6", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/41434?format=api", "vulnerability_id": "VCID-29ju-364n-qkch", "summary": "Content object state fetch functions open to SQL injection\n### Impact\nThis Security Update is about a vulnerability in eZ Publish Legacy. The content object state code could be vulnerable to SQL injection. There is no known exploit, but one might be possible. If you use Legacy in any way, we strongly recommend that you install this update as soon as possible.\n\n### Patches\nThe fix is distributed via Composer, see \"Patched versions\".", "references": [ { "reference_url": "https://developers.ibexa.co/security-advisories/ibexa-sa-2021-005-content-object-state-fetch-functions-open-to-sql-injection", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://developers.ibexa.co/security-advisories/ibexa-sa-2021-005-content-object-state-fetch-functions-open-to-sql-injection" }, { "reference_url": "https://github.com/ezsystems/ezpublish-legacy", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-legacy" }, { "reference_url": "https://github.com/ezsystems/ezpublish-legacy/commit/f8e3a97afd92efb9148134a4bacb35a875777a42", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-legacy/commit/f8e3a97afd92efb9148134a4bacb35a875777a42" }, { "reference_url": "https://github.com/advisories/GHSA-jpwx-ffjq-wr4w", "reference_id": "GHSA-jpwx-ffjq-wr4w", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jpwx-ffjq-wr4w" }, { "reference_url": "https://github.com/ezsystems/ezpublish-legacy/security/advisories/GHSA-jpwx-ffjq-wr4w", "reference_id": "GHSA-jpwx-ffjq-wr4w", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-legacy/security/advisories/GHSA-jpwx-ffjq-wr4w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/534880?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2019.03.6", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2019.03.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/58936?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2019.3.6%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2019.3.6%252B1" } ], "aliases": [ "GHSA-jpwx-ffjq-wr4w", "GMS-2021-112" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-29ju-364n-qkch" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/40467?format=api", "vulnerability_id": "VCID-eaqz-xw6f-6yeb", "summary": "EZSA-2018-009 Do not interpret PHP/PHAR uploads", "references": [ { "reference_url": "http://share.ez.no/community-project/security-advisories/ezsa-2018-009-do-not-interpret-php-phar-uploads", "reference_id": "", "reference_type": "", "scores": [], "url": "http://share.ez.no/community-project/security-advisories/ezsa-2018-009-do-not-interpret-php-phar-uploads" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/56951?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2019.3.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6cyy-uhhk-63aa" }, { "vulnerability": "VCID-8zn2-ztg4-s3ex" }, { "vulnerability": "VCID-qymv-b76a-2yh2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2019.3.0" } ], "aliases": [ "GMS-2018-67" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-eaqz-xw6f-6yeb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54903?format=api", "vulnerability_id": "VCID-f41r-p9hu-hyhx", "summary": "Ez Platform and Legacy are prone to an insecure interpretation of PHP/PHAR uploads\nThe eZ Platform and Legacy are affected by an issue related to how uploaded PHP and PHAR files are handled, and consists of two parts: 1. Web server configuration, and 2. Disabling the PHAR stream wrapper.\n\n**1. WEB SERVER CONFIGURATION**\nThe sample web server configuration in our documentation can in some cases allow the execution of uploaded PHP/PHAR code. This can be abused to allow priviledge escalation and breach of content access controls, among other things. Please ensure that your web server will not execute files in directories were files may be uploaded, such as web/var/ and ezpublish_legacy/var/\n\nAs an example, here is how you can make Apache return HTTP 403 Forbidden for a number of executable file types in your eZ Platform var directory. Please adapt it to your needs. It is then possible to enable logging of HTTP 403 in a separate log file if you wish, you could do this to see if someone is trying to abuse the server.\n```\nRewriteEngine On", "references": [ { "reference_url": "https://github.com/ezsystems/ezplatform/commit/9a0c52dc4535e4b3ce379f80222dc53f705a2cfd", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezplatform/commit/9a0c52dc4535e4b3ce379f80222dc53f705a2cfd" }, { "reference_url": "https://github.com/ezsystems/ezpublish-legacy", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-legacy" }, { "reference_url": "https://github.com/ezsystems/ezpublish-legacy/commit/d21957bf202b091ab39dfb5be300f6c30be3933e", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-legacy/commit/d21957bf202b091ab39dfb5be300f6c30be3933e" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/ezsystems/ezpublish-legacy/2018-11-21-1.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/ezsystems/ezpublish-legacy/2018-11-21-1.yaml" }, { "reference_url": "http://share.ez.no/community-project/security-advisories/ezsa-2018-009-do-not-interpret-php-phar-uploads", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://share.ez.no/community-project/security-advisories/ezsa-2018-009-do-not-interpret-php-phar-uploads" }, { "reference_url": "https://web.archive.org/web/20210614192208/https://share.ez.no/community-project/security-advisories/ezsa-2018-009-do-not-interpret-php-phar-uploads", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://web.archive.org/web/20210614192208/https://share.ez.no/community-project/security-advisories/ezsa-2018-009-do-not-interpret-php-phar-uploads" }, { "reference_url": "https://github.com/advisories/GHSA-pqjm-xcp8-wgmm", "reference_id": "GHSA-pqjm-xcp8-wgmm", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-pqjm-xcp8-wgmm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/534873?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2018.09.1.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29ju-364n-qkch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2018.09.1.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/81440?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2018.9.1%2B3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2018.9.1%252B3" } ], "aliases": [ "GHSA-pqjm-xcp8-wgmm" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-f41r-p9hu-hyhx" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54824?format=api", "vulnerability_id": "VCID-2adj-kpzr-eycv", "summary": "eZ Publish Legacy Cross-site Scripting (XSS) in 'disabled module' error template\nThis security advisory fixes a vulnerability in eZ Publish Legacy, and we recommend that you install it as soon as possible if you are using Legacy via the LegacyBridge.\n\nInstallations where all modules are disabled may be vulnerable to XSS injection in the module name. This is a rare configuration, but we still recommend installing the update, which adds the necessary input washing.\n\nTo install, use Composer to update to one of the \"Resolving versions\" mentioned above, or apply this patch manually:\nhttps://github.com/ezsystems/ezpublish-legacy/commit/4697bff700e8cf95d5847ea19dad3479a77b02d9", "references": [ { "reference_url": "https://github.com/ezsystems/ezpublish-legacy", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-legacy" }, { "reference_url": "https://github.com/ezsystems/ezpublish-legacy/commit/4697bff700e8cf95d5847ea19dad3479a77b02d9", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-legacy/commit/4697bff700e8cf95d5847ea19dad3479a77b02d9" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/ezsystems/ezpublish-legacy/2018-11-01-1.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/ezsystems/ezpublish-legacy/2018-11-01-1.yaml" }, { "reference_url": "http://share.ez.no/community-project/security-advisories/ezsa-2018-006-xss-vulnerability-in-disabled-module-error-template", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://share.ez.no/community-project/security-advisories/ezsa-2018-006-xss-vulnerability-in-disabled-module-error-template" }, { "reference_url": "https://web.archive.org/web/20210614172734/http://share.ez.no/community-project/security-advisories/ezsa-2018-006-xss-vulnerability-in-disabled-module-error-template", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://web.archive.org/web/20210614172734/http://share.ez.no/community-project/security-advisories/ezsa-2018-006-xss-vulnerability-in-disabled-module-error-template" }, { "reference_url": "https://github.com/advisories/GHSA-2vh3-cj9j-mcj5", "reference_id": "GHSA-2vh3-cj9j-mcj5", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2vh3-cj9j-mcj5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/81353?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@5.3.12%2B5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@5.3.12%252B5" }, { "url": "http://public2.vulnerablecode.io/api/packages/81352?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@5.4.12%2B2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@5.4.12%252B2" }, { "url": "http://public2.vulnerablecode.io/api/packages/228782?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2017.12.4.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29ju-364n-qkch" }, { "vulnerability": "VCID-6cyy-uhhk-63aa" }, { "vulnerability": "VCID-eaqz-xw6f-6yeb" }, { "vulnerability": "VCID-f41r-p9hu-hyhx" }, { "vulnerability": "VCID-qymv-b76a-2yh2" }, { "vulnerability": "VCID-ukn1-91je-x7hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2017.12.4.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/56949?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2017.12.4%2B2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2017.12.4%252B2" }, { "url": "http://public2.vulnerablecode.io/api/packages/228783?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2018.06.1.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29ju-364n-qkch" }, { "vulnerability": "VCID-eaqz-xw6f-6yeb" }, { "vulnerability": "VCID-f41r-p9hu-hyhx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2018.06.1.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/56945?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2018.6.1%2B3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2018.6.1%252B3" }, { "url": "http://public2.vulnerablecode.io/api/packages/228784?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2018.09.1.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29ju-364n-qkch" }, { "vulnerability": "VCID-eaqz-xw6f-6yeb" }, { "vulnerability": "VCID-f41r-p9hu-hyhx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2018.09.1.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/81351?format=api", "purl": "pkg:composer/ezsystems/ezpublish-legacy@2018.9.1%2B2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2018.9.1%252B2" } ], "aliases": [ "GHSA-2vh3-cj9j-mcj5" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2adj-kpzr-eycv" } ], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2018.09.1.2" }