Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-qymv-b76a-2yh2
Summary
Ez Platform Object Injection in legacy shop module
This Security Advisory is about a vulnerability in the Legacy shop module. A backend editor could perform object injection in discount rules. This would require backend access and permission to edit discount rules. While object injection in itself is a serious vulnerability, the permission requirement means that normally only administrators would be able to exploit it, that's why it was classified as Medium severity.
Aliases
0
alias GHSA-39j2-4p9j-5w4j
Fixed_packages
Affected_packages
0
url pkg:composer/ezsystems/ezpublish-legacy@5.4.0
purl pkg:composer/ezsystems/ezpublish-legacy@5.4.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2adj-kpzr-eycv
1
vulnerability VCID-6cyy-uhhk-63aa
2
vulnerability VCID-a651-ayct-2fa1
3
vulnerability VCID-eaqz-xw6f-6yeb
4
vulnerability VCID-f41r-p9hu-hyhx
5
vulnerability VCID-gnad-89bk-x7cq
6
vulnerability VCID-qymv-b76a-2yh2
7
vulnerability VCID-rkq7-5cdy-k7d8
8
vulnerability VCID-ufw5-emg4-cqd6
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@5.4.0
1
url pkg:composer/ezsystems/ezpublish-legacy@2017.12.0
purl pkg:composer/ezsystems/ezpublish-legacy@2017.12.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2975-xhf4-ckcj
1
vulnerability VCID-6cyy-uhhk-63aa
2
vulnerability VCID-bmkb-zcyd-6kdk
3
vulnerability VCID-eaqz-xw6f-6yeb
4
vulnerability VCID-qymv-b76a-2yh2
5
vulnerability VCID-ufw5-emg4-cqd6
6
vulnerability VCID-ukn1-91je-x7hw
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2017.12.0
2
url pkg:composer/ezsystems/ezpublish-legacy@2019.3.0
purl pkg:composer/ezsystems/ezpublish-legacy@2019.3.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-6cyy-uhhk-63aa
1
vulnerability VCID-qymv-b76a-2yh2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2019.3.0
References
0
reference_url https://ezplatform.com/security-advisories/ibexa-sa-2020-006-object-injection-in-legacy-shop-module
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://ezplatform.com/security-advisories/ibexa-sa-2020-006-object-injection-in-legacy-shop-module
1
reference_url https://github.com/ezsystems/ezpublish-legacy
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/ezsystems/ezpublish-legacy
2
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/ezsystems/ezpublish-legacy/2020-10-05-1.yaml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/ezsystems/ezpublish-legacy/2020-10-05-1.yaml
3
reference_url https://github.com/advisories/GHSA-39j2-4p9j-5w4j
reference_id GHSA-39j2-4p9j-5w4j
reference_type
scores
url https://github.com/advisories/GHSA-39j2-4p9j-5w4j
Weaknesses
0
cwe_id 94
name Improper Control of Generation of Code ('Code Injection')
description The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
1
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
2
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
Exploits
Severity_range_score4.0 - 6.9
Exploitability0.5
Weighted_severity6.2
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-qymv-b76a-2yh2