Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/64297?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/64297?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@6.13.0", "type": "composer", "namespace": "ezsystems", "name": "ezpublish-kernel", "version": "6.13.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "6.13.8.2", "latest_non_vulnerable_version": "7.5.31", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/40466?format=api", "vulnerability_id": "VCID-5jc4-962r-6kez", "summary": "Information Exposure\nREST API returns list of all site accesses.", "references": [ { "reference_url": "http://share.ez.no/community-project/security-advisories/ezsa-2018-008-rest-api-returns-list-of-all-siteaccesses", "reference_id": "", "reference_type": "", "scores": [], "url": "http://share.ez.no/community-project/security-advisories/ezsa-2018-008-rest-api-returns-list-of-all-siteaccesses" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/57070?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@6.13.5%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@6.13.5%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/228751?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@6.13.6-rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7k4g-s55n-zba3" }, { "vulnerability": "VCID-n9ba-bdr7-vkfg" }, { "vulnerability": "VCID-ukn1-91je-x7hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@6.13.6-rc1" }, { "url": "http://public2.vulnerablecode.io/api/packages/228774?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@7.2.4.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-n9ba-bdr7-vkfg" }, { "vulnerability": "VCID-ukn1-91je-x7hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.2.4.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/57071?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@7.2.4%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.2.4%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/57072?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@7.3.2%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.3.2%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/228777?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@7.4.3-rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-n9ba-bdr7-vkfg" }, { "vulnerability": "VCID-ukn1-91je-x7hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.4.3-rc1" } ], "aliases": [ "GMS-2018-63" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5jc4-962r-6kez" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54158?format=api", "vulnerability_id": "VCID-7k4g-s55n-zba3", "summary": "/user/sessions endpoint allows detecting valid accounts\nThis Security Advisory is about a vulnerability in eZ Platform v1.13, v2.5, and v3.2, and in Ibexa DXP and Ibexa Open Source v3.3. The /user/sessions endpoint can let an attacker detect if a given username or email refers to a valid account. This can be detected through differences in the response data or response time of certain requests. The fix ensures neither attack is possible. The fix is distributed via Composer.\n\nIf you come across a security issue in our products, here is how you can report it to us: https://doc.ibexa.co/en/latest/guide/reporting_issues/#toc", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-46876", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00237", "scoring_system": "epss", "scoring_elements": "0.46938", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-46876" }, { "reference_url": "https://github.com/ezsystems/ezpublish-kernel", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-kernel" }, { "reference_url": "https://github.com/ezsystems/ezpublish-kernel/commit/b496f073c3f03707d3531a6941dc098b84e3cbed", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-kernel/commit/b496f073c3f03707d3531a6941dc098b84e3cbed" }, { "reference_url": "https://packagist.org/packages/ezsystems/ezpublish-kernel", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://packagist.org/packages/ezsystems/ezpublish-kernel" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46876", "reference_id": "CVE-2021-46876", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46876" }, { "reference_url": "https://github.com/advisories/GHSA-gmrf-99gw-vvwj", "reference_id": "GHSA-gmrf-99gw-vvwj", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-gmrf-99gw-vvwj" }, { "reference_url": "https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-gmrf-99gw-vvwj", "reference_id": "GHSA-gmrf-99gw-vvwj", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-gmrf-99gw-vvwj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/292786?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@6.13.8.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-n9ba-bdr7-vkfg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@6.13.8.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/64301?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@6.13.8%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@6.13.8%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/292798?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@7.5.15.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-n9ba-bdr7-vkfg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.15.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/64302?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@7.5.15%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.15%252B1" } ], "aliases": [ "CVE-2021-46876", "GHSA-gmrf-99gw-vvwj", "GMS-2021-110" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7k4g-s55n-zba3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54921?format=api", "vulnerability_id": "VCID-8cdb-zjbz-1kdv", "summary": "eZ Platform Object Injection in SiteAccessMatchListener\nThis Security Advisory is about an object injection vulnerability in the SiteAccessMatchListener of eZ Platform, which could lead to remote code execution (RCE), a very serious threat. All sites may be affected.\n\nUpdate: There are bugs introduced by this fix, particularly but not limited to compound siteaccess matchers. These have been fixed in ezsystems/ezplatform-kernel v1.0.3, and in ezsystems/ezpublish-kernel v7.5.8, v6.13.6.4, and v5.4.15.", "references": [ { "reference_url": "https://ezplatform.com/security-advisories/ezsa-2020-004-object-injection-in-siteaccessmatchlistener", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://ezplatform.com/security-advisories/ezsa-2020-004-object-injection-in-siteaccessmatchlistener" }, { "reference_url": "https://github.com/ezsystems/ezpublish-kernel", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-kernel" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/ezsystems/ezpublish-kernel/2020-05-20-1.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/ezsystems/ezpublish-kernel/2020-05-20-1.yaml" }, { "reference_url": "https://github.com/advisories/GHSA-64vj-933f-6pm3", "reference_id": "GHSA-64vj-933f-6pm3", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-64vj-933f-6pm3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/81459?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@6.13.6%2B4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@6.13.6%252B4" }, { "url": "http://public2.vulnerablecode.io/api/packages/81458?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@7.5.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7k4g-s55n-zba3" }, { "vulnerability": "VCID-n9ba-bdr7-vkfg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.8" } ], "aliases": [ "GHSA-64vj-933f-6pm3" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8cdb-zjbz-1kdv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44659?format=api", "vulnerability_id": "VCID-m6hv-1sz4-mfff", "summary": "Duplicate Advisory: Cross Site Scripting in eZ Platform Ibexa Kernel\nIn file upload it is possible by certain means to upload files like .html and .js. These may contain XSS exploits which will be run when links to them are accessed by victims.\nPatches", "references": [ { "reference_url": "https://github.com/ezsystems/ezpublish-kernel", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-kernel" }, { "reference_url": "https://github.com/ezsystems/ezpublish-kernel/commit/29fecd2afe86f763510f10c02f14962d028f311b", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-kernel/commit/29fecd2afe86f763510f10c02f14962d028f311b" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46875", "reference_id": "CVE-2021-46875", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46875" }, { "reference_url": "https://github.com/advisories/GHSA-c737-jhwr-fqxj", "reference_id": "GHSA-c737-jhwr-fqxj", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-c737-jhwr-fqxj" }, { "reference_url": "https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-mrvj-7q4f-5p42", "reference_id": "GHSA-mrvj-7q4f-5p42", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-mrvj-7q4f-5p42" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/64298?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@6.13.8%2B2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@6.13.8%252B2" }, { "url": "http://public2.vulnerablecode.io/api/packages/64299?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@7.5.15%2B2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.15%252B2" } ], "aliases": [ "GHSA-c737-jhwr-fqxj" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-m6hv-1sz4-mfff" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54210?format=api", "vulnerability_id": "VCID-n9ba-bdr7-vkfg", "summary": "Cross-site scripting in eZ Platform Kernel\nIn file upload it is possible by certain means to upload files like .html and .js. These may contain XSS exploits which will be run when links to them are accessed by victims.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-46875", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00542", "scoring_system": "epss", "scoring_elements": "0.6805", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-46875" }, { "reference_url": "https://github.com/ezsystems/ezpublish-kernel", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-kernel" }, { "reference_url": "https://github.com/ezsystems/ezpublish-kernel/commit/29fecd2afe86f763510f10c02f14962d028f311b", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-kernel/commit/29fecd2afe86f763510f10c02f14962d028f311b" }, { "reference_url": "https://packagist.org/packages/ezsystems/ezplatform-kernel#v1.2.5.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://packagist.org/packages/ezsystems/ezplatform-kernel#v1.2.5.1" }, { "reference_url": "https://packagist.org/packages/ezsystems/ezpublish-kernel#v7.5.15.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://packagist.org/packages/ezsystems/ezpublish-kernel#v7.5.15.2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46875", "reference_id": "CVE-2021-46875", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46875" }, { "reference_url": "https://github.com/advisories/GHSA-mrvj-7q4f-5p42", "reference_id": "GHSA-mrvj-7q4f-5p42", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-mrvj-7q4f-5p42" }, { "reference_url": "https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-mrvj-7q4f-5p42", "reference_id": "GHSA-mrvj-7q4f-5p42", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-mrvj-7q4f-5p42" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/295423?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@6.13.8.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@6.13.8.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/64298?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@6.13.8%2B2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@6.13.8%252B2" }, { "url": "http://public2.vulnerablecode.io/api/packages/295424?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@7.5.15.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.15.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/64299?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@7.5.15%2B2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.15%252B2" } ], "aliases": [ "CVE-2021-46875", "GHSA-mrvj-7q4f-5p42", "GMS-2021-111", "GMS-2021-47" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-n9ba-bdr7-vkfg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/52412?format=api", "vulnerability_id": "VCID-ukn1-91je-x7hw", "summary": "Unrestricted Upload of File with Dangerous Type\neZ Publish Legacy allow remote attackers to execute arbitrary code by uploading PHP code, unless the vhost configuration permits only `app.php` execution.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-10806", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02833", "scoring_system": "epss", "scoring_elements": "0.86454", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-10806" }, { "reference_url": "https://ezplatform.com/security-advisories/ezsa-2020-001-remote-code-execution-in-file-uploads", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://ezplatform.com/security-advisories/ezsa-2020-001-remote-code-execution-in-file-uploads" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10806", "reference_id": "CVE-2020-10806", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10806" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/250622?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@6.13.6.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7k4g-s55n-zba3" }, { "vulnerability": "VCID-n9ba-bdr7-vkfg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@6.13.6.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/76948?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@6.13.6%2B2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@6.13.6%252B2" }, { "url": "http://public2.vulnerablecode.io/api/packages/250649?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@7.5.6.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7k4g-s55n-zba3" }, { "vulnerability": "VCID-n9ba-bdr7-vkfg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.6.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/76949?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@7.5.6%2B2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.6%252B2" } ], "aliases": [ "CVE-2020-10806", "GHSA-54p5-gxq6-j98g" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ukn1-91je-x7hw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44661?format=api", "vulnerability_id": "VCID-vpbp-kn99-hygk", "summary": "Duplicate Advisory: User account enumeration in eZ Publish Ibexa Kernel\n## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-gmrf-99gw-vvwj. This link is maintained to preserve external references.\n\n## Original Description\n\nThis Security Advisory is about a vulnerability in eZ Platform v1.13, v2.5, and v3.2, and in Ibexa DXP and Ibexa Open Source v3.3. The /user/sessions endpoint can let an attacker detect if a given username or email refers to a valid account. This can be detected through differences in the response data or response time of certain requests. The fix ensures neither attack is possible. The fix is distributed via Composer.", "references": [ { "reference_url": "https://github.com/ezsystems/ezpublish-kernel", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-kernel" }, { "reference_url": "https://github.com/ezsystems/ezpublish-kernel/commit/b496f073c3f03707d3531a6941dc098b84e3cbed", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-kernel/commit/b496f073c3f03707d3531a6941dc098b84e3cbed" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46876", "reference_id": "CVE-2021-46876", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46876" }, { "reference_url": "https://github.com/advisories/GHSA-89p3-9j8c-fqh4", "reference_id": "GHSA-89p3-9j8c-fqh4", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-89p3-9j8c-fqh4" }, { "reference_url": "https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-gmrf-99gw-vvwj", "reference_id": "GHSA-gmrf-99gw-vvwj", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-gmrf-99gw-vvwj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/64301?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@6.13.8%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@6.13.8%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/64302?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@7.5.15%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.15%252B1" } ], "aliases": [ "GHSA-89p3-9j8c-fqh4" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vpbp-kn99-hygk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54853?format=api", "vulnerability_id": "VCID-y2r5-sqjj-f3fc", "summary": "eZ Publish Remote code execution in file uploads\nThis Security Advisory is about a vulnerability in the way eZ Platform and eZ Publish Legacy handles file uploads, which can in the worst case lead to remote code execution (RCE), a very serious threat. An attacker would need access to uploading files to be able to exploit the vulnerability, so if you have strict controls on this and trust all who have this permission, you're not affected. On the basis of the tests we have made, we also believe the vulnerability cannot be exploited as long as our recommended vhost configuration is used. Here is the v2.5 recommendation for Nginx, as an example:\n\n https://github.com/ezsystems/ezplatform/blob/2.5/doc/nginx/vhost.template#L31\n\n This vhost template specifies that only the file app.php in the web root is executed, while vulnerable configurations allow execution of any php file. Apache is affected in the same way as Nginx, and is also protected by using the recommended configuration. The build-in webserver in PHP stays vulnerable, as it doesn't use this type of configuration (this webserver should only be used for development, never for production). We cannot be 100% certain our configuration is not vulnerable. We also do not know if all our users use the recommended configuration, so we send out this fix to be on the safe side.\n\nThe fix includes a blocklist feature for uploaded filenames, such as \".php\". The file types on the blocklist cannot be uploaded. The blocklist is configurable. In eZ Platform you will find it as ezsettings.default.io.file_storage.file_type_blocklist in eZ/Bundle/EzPublishCoreBundle/Resources/config/default_settings.yml in vendors/ezsystems/ezpublish-kernel. In eZ Publish Legacy you will find it as FileExtensionblockList in settings/file.ini. By default it blocks these file types: php, php3, phar, phpt, pht, phtml, pgif. The fix also inclues a new block against path traversal attacks, though this kind of attack was not reproducible in our tests.", "references": [ { "reference_url": "https://ezplatform.com/security-advisories/ezsa-2020-001-remote-code-execution-in-file-uploads", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://ezplatform.com/security-advisories/ezsa-2020-001-remote-code-execution-in-file-uploads" }, { "reference_url": "https://github.com/ezsystems/ezpublish-kernel", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-kernel" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/ezsystems/ezpublish-kernel/2020-03-03-1.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/ezsystems/ezpublish-kernel/2020-03-03-1.yaml" }, { "reference_url": "https://web.archive.org/web/20210304031629/https://developers.ibexa.co/security-advisories/ezsa-2020-001-remote-code-execution-in-file-uploads", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://web.archive.org/web/20210304031629/https://developers.ibexa.co/security-advisories/ezsa-2020-001-remote-code-execution-in-file-uploads" }, { "reference_url": "https://github.com/advisories/GHSA-3vwr-jj4f-h98x", "reference_id": "GHSA-3vwr-jj4f-h98x", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3vwr-jj4f-h98x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/76948?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@6.13.6%2B2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@6.13.6%252B2" }, { "url": "http://public2.vulnerablecode.io/api/packages/76949?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@7.5.6%2B2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.6%252B2" } ], "aliases": [ "GHSA-3vwr-jj4f-h98x" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-y2r5-sqjj-f3fc" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@6.13.0" }