{"url":"http://public2.vulnerablecode.io/api/packages/421913?format=json","purl":"pkg:composer/ezsystems/ezpublish-kernel@6.3.0","type":"composer","namespace":"ezsystems","name":"ezpublish-kernel","version":"6.3.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"6.13.8.2","latest_non_vulnerable_version":"7.5.31","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/44168?format=json","vulnerability_id":"VCID-2kx3-zgg7-zbax","summary":"Cross-site scripting in eZ Platform Kernel\n### Impact\nIn file upload it is possible by certain means to upload files like .html and .js. These may contain XSS exploits which will be run when links to them are accessed by victims.\n\n### Patches\nThe fix consists simply of adding common types of scriptable file types to the configuration of the already existing filetype blacklist feature. See \"Patched versions\". As such, this can also be done manually, without installing the patched versions. This may be relevant if you are currently running a considerably older version of the kernel package and don't want to upgrade it at this time. Please see the settting \"ezsettings.default.io.file_storage.file_type_blacklist\" at:\nhttps://github.com/ezsystems/ezplatform-kernel/blob/master/eZ/Bundle/EzPublishCoreBundle/Resources/config/default_settings.yml#L109\n\n### Important note\nYou should adapt this setting to your needs. Do not add file types to the blacklist that you actually need to be able to upload. For instance, if you need your editors to be able to upload SVG files, then don't blacklist that. Instead, you could e.g. use an approval workflow for such content.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-46875","reference_id":"","reference_type":"","scores":[{"value":"0.00542","scoring_system":"epss","scoring_elements":"0.67987","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-46875"},{"reference_url":"https://github.com/ezsystems/ezpublish-kernel","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ezsystems/ezpublish-kernel"},{"reference_url":"https://github.com/ezsystems/ezpublish-kernel/commit/29fecd2afe86f763510f10c02f14962d028f311b","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-04T21:15:05Z/"}],"url":"https://github.com/ezsystems/ezpublish-kernel/commit/29fecd2afe86f763510f10c02f14962d028f311b"},{"reference_url":"https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-mrvj-7q4f-5p42","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-04T21:15:05Z/"}],"url":"https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-mrvj-7q4f-5p42"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-46875","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-46875"},{"reference_url":"https://packagist.org/packages/ezsystems/ezplatform-kernel#v1.2.5.1","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://packagist.org/packages/ezsystems/ezplatform-kernel#v1.2.5.1"},{"reference_url":"https://packagist.org/packages/ezsystems/ezpublish-kernel#v7.5.15.2","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://packagist.org/packages/ezsystems/ezpublish-kernel#v7.5.15.2"},{"reference_url":"https://github.com/advisories/GHSA-mrvj-7q4f-5p42","reference_id":"GHSA-mrvj-7q4f-5p42","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-mrvj-7q4f-5p42"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/70724?format=json","purl":"pkg:composer/ezsystems/ezpublish-kernel@6.13.8%2B2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@6.13.8%252B2"},{"url":"http://public2.vulnerablecode.io/api/packages/478428?format=json","purl":"pkg:composer/ezsystems/ezpublish-kernel@6.13.8.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@6.13.8.2"},{"url":"http://public2.vulnerablecode.io/api/packages/70725?format=json","purl":"pkg:composer/ezsystems/ezpublish-kernel@7.5.15%2B2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.15%252B2"},{"url":"http://public2.vulnerablecode.io/api/packages/478429?format=json","purl":"pkg:composer/ezsystems/ezpublish-kernel@7.5.15.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1d5w-vvvz-2uf3"},{"vulnerability":"VCID-ah68-aeum-qbgb"},{"vulnerability":"VCID-gzmz-zutf-j3he"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.15.2"}],"aliases":["CVE-2021-46875","GHSA-mrvj-7q4f-5p42"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2kx3-zgg7-zbax"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/58721?format=json","vulnerability_id":"VCID-5aph-bafa-mkds","summary":"eZ Publish Kernel and Legacy Unrestricted Upload of File with Dangerous Type\neZ Publish Kernel before 5.4.14.1, 6.x before 6.13.6.2, and 7.x before 7.5.6.2 and eZ Publish Legacy before 5.4.14.1, 2017 before 2017.12.7.2, and 2019 before 2019.03.4.2 allow remote attackers to execute arbitrary code by uploading PHP code, unless the vhost configuration permits only app.php execution.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-10806","reference_id":"","reference_type":"","scores":[{"value":"0.02833","scoring_system":"epss","scoring_elements":"0.86428","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-10806"},{"reference_url":"https://ezplatform.com/security-advisories/ezsa-2020-001-remote-code-execution-in-file-uploads","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://ezplatform.com/security-advisories/ezsa-2020-001-remote-code-execution-in-file-uploads"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10806","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10806"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40973?format=json","purl":"pkg:composer/ezsystems/ezpublish-kernel@6.13.6%2B2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@6.13.6%252B2"},{"url":"http://public2.vulnerablecode.io/api/packages/443456?format=json","purl":"pkg:composer/ezsystems/ezpublish-kernel@6.13.6.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2kx3-zgg7-zbax"},{"vulnerability":"VCID-7fg7-dv45-xbat"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@6.13.6.2"},{"url":"http://public2.vulnerablecode.io/api/packages/40972?format=json","purl":"pkg:composer/ezsystems/ezpublish-kernel@7.5.6%2B2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.6%252B2"},{"url":"http://public2.vulnerablecode.io/api/packages/443483?format=json","purl":"pkg:composer/ezsystems/ezpublish-kernel@7.5.6.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1d5w-vvvz-2uf3"},{"vulnerability":"VCID-2kx3-zgg7-zbax"},{"vulnerability":"VCID-7fg7-dv45-xbat"},{"vulnerability":"VCID-ah68-aeum-qbgb"},{"vulnerability":"VCID-gzmz-zutf-j3he"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.6.2"}],"aliases":["CVE-2020-10806","GHSA-54p5-gxq6-j98g"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5aph-bafa-mkds"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/119012?format=json","vulnerability_id":"VCID-c5y1-bd9s-uua6","summary":"Information Exposure\nREST API returns list of all site accesses.","references":[{"reference_url":"http://share.ez.no/community-project/security-advisories/ezsa-2018-008-rest-api-returns-list-of-all-siteaccesses","reference_id":"","reference_type":"","scores":[],"url":"http://share.ez.no/community-project/security-advisories/ezsa-2018-008-rest-api-returns-list-of-all-siteaccesses"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/44235?format=json","purl":"pkg:composer/ezsystems/ezpublish-kernel@6.7.9%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@6.7.9%252B1"},{"url":"http://public2.vulnerablecode.io/api/packages/421984?format=json","purl":"pkg:composer/ezsystems/ezpublish-kernel@6.7.9.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2kx3-zgg7-zbax"},{"vulnerability":"VCID-5aph-bafa-mkds"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@6.7.9.1"},{"url":"http://public2.vulnerablecode.io/api/packages/44234?format=json","purl":"pkg:composer/ezsystems/ezpublish-kernel@6.13.5%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@6.13.5%252B1"},{"url":"http://public2.vulnerablecode.io/api/packages/422040?format=json","purl":"pkg:composer/ezsystems/ezpublish-kernel@6.13.6-rc1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2kx3-zgg7-zbax"},{"vulnerability":"VCID-5aph-bafa-mkds"},{"vulnerability":"VCID-7fg7-dv45-xbat"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@6.13.6-rc1"},{"url":"http://public2.vulnerablecode.io/api/packages/44233?format=json","purl":"pkg:composer/ezsystems/ezpublish-kernel@7.2.4%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.2.4%252B1"},{"url":"http://public2.vulnerablecode.io/api/packages/422063?format=json","purl":"pkg:composer/ezsystems/ezpublish-kernel@7.2.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2kx3-zgg7-zbax"},{"vulnerability":"VCID-5aph-bafa-mkds"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.2.4.1"},{"url":"http://public2.vulnerablecode.io/api/packages/44232?format=json","purl":"pkg:composer/ezsystems/ezpublish-kernel@7.3.2%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.3.2%252B1"},{"url":"http://public2.vulnerablecode.io/api/packages/422066?format=json","purl":"pkg:composer/ezsystems/ezpublish-kernel@7.4.3-rc1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2kx3-zgg7-zbax"},{"vulnerability":"VCID-5aph-bafa-mkds"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.4.3-rc1"}],"aliases":["GMS-2018-63"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-c5y1-bd9s-uua6"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@6.3.0"}