{"url":"http://public2.vulnerablecode.io/api/packages/488822?format=json","purl":"pkg:composer/ezsystems/ezpublish-kernel@7.5.13","type":"composer","namespace":"ezsystems","name":"ezpublish-kernel","version":"7.5.13","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"7.5.15+2","latest_non_vulnerable_version":"8.0.0-beta1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/171778?format=json","vulnerability_id":"VCID-1515-rc8b-zbbm","summary":"An issue was discovered in eZ Platform Ibexa Kernel before 1.3.26. The Company admin role gives excessive privileges.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-48365","reference_id":"","reference_type":"","scores":[{"value":"0.00693","scoring_system":"epss","scoring_elements":"0.72346","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-48365"},{"reference_url":"https://github.com/ezsystems/ezpublish-kernel","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ezsystems/ezpublish-kernel"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-48365","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-48365"},{"reference_url":"https://github.com/ezsystems/ezpublish-kernel/commit/957e67a08af2b3265753f9763943e8225ed779ab","reference_id":"957e67a08af2b3265753f9763943e8225ed779ab","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-04T20:32:41Z/"}],"url":"https://github.com/ezsystems/ezpublish-kernel/commit/957e67a08af2b3265753f9763943e8225ed779ab"},{"reference_url":"https://github.com/ezsystems/ezplatform-kernel/security/advisories/GHSA-8h83-chh2-fchp","reference_id":"GHSA-8h83-chh2-fchp","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-04T20:32:41Z/"}],"url":"https://github.com/ezsystems/ezplatform-kernel/security/advisories/GHSA-8h83-chh2-fchp"},{"reference_url":"https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-99r3-xmmq-7q7g","reference_id":"GHSA-99r3-xmmq-7q7g","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-04T20:32:41Z/"}],"url":"https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-99r3-xmmq-7q7g"},{"reference_url":"https://github.com/advisories/GHSA-qq2j-9pf8-g58c","reference_id":"GHSA-qq2j-9pf8-g58c","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qq2j-9pf8-g58c"},{"reference_url":"https://developers.ibexa.co/security-advisories/ibexa-sa-2022-009-critical-vulnerabilities-in-graphql-role-assignment-ct-editing-and-drafts-tooltips","reference_id":"ibexa-sa-2022-009-critical-vulnerabilities-in-graphql-role-assignment-ct-editing-and-drafts-tooltips","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-04T20:32:41Z/"}],"url":"https://developers.ibexa.co/security-advisories/ibexa-sa-2022-009-critical-vulnerabilities-in-graphql-role-assignment-ct-editing-and-drafts-tooltips"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/27838?format=json","purl":"pkg:composer/ezsystems/ezpublish-kernel@7.5.30","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-xbxs-euz1-qfhe"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.30"}],"aliases":["CVE-2022-48365","GHSA-qq2j-9pf8-g58c"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1515-rc8b-zbbm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/208232?format=json","vulnerability_id":"VCID-3dej-a2k6-mkfc","summary":"Code injection in ezsystems/ezpublish-kernel","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25337","reference_id":"","reference_type":"","scores":[{"value":"0.00537","scoring_system":"epss","scoring_elements":"0.67968","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25337"},{"reference_url":"https://developers.ibexa.co/security-advisories/ibexa-sa-2022-001-image-filenames-sanitization","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://developers.ibexa.co/security-advisories/ibexa-sa-2022-001-image-filenames-sanitization"},{"reference_url":"https://github.com/ezsystems/ezpublish-kernel","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ezsystems/ezpublish-kernel"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25337","reference_id":"CVE-2022-25337","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25337"},{"reference_url":"https://github.com/advisories/GHSA-xwv6-v7qx-f5jc","reference_id":"GHSA-xwv6-v7qx-f5jc","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xwv6-v7qx-f5jc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/18763?format=json","purl":"pkg:composer/ezsystems/ezpublish-kernel@7.5.26","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1515-rc8b-zbbm"},{"vulnerability":"VCID-fgne-j33v-2fhv"},{"vulnerability":"VCID-jjry-usfr-dqfy"},{"vulnerability":"VCID-jx85-npqm-tucj"},{"vulnerability":"VCID-xbxs-euz1-qfhe"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.26"}],"aliases":["CVE-2022-25337","GHSA-xwv6-v7qx-f5jc"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3dej-a2k6-mkfc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/207465?format=json","vulnerability_id":"VCID-6bux-9s4g-u3f7","summary":"IBX-1392: Image filenames sanitization","references":[{"reference_url":"https://developers.ibexa.co/security-advisories/ibexa-sa-2022-001-image-filenames-sanitization","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://developers.ibexa.co/security-advisories/ibexa-sa-2022-001-image-filenames-sanitization"},{"reference_url":"https://github.com/ezsystems/ezpublish-kernel","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ezsystems/ezpublish-kernel"},{"reference_url":"https://github.com/ezsystems/ezpublish-kernel/releases/tag/v7.5.26","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ezsystems/ezpublish-kernel/releases/tag/v7.5.26"},{"reference_url":"https://github.com/advisories/GHSA-44m4-9cjp-j587","reference_id":"GHSA-44m4-9cjp-j587","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-44m4-9cjp-j587"},{"reference_url":"https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-44m4-9cjp-j587","reference_id":"GHSA-44m4-9cjp-j587","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-44m4-9cjp-j587"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/18763?format=json","purl":"pkg:composer/ezsystems/ezpublish-kernel@7.5.26","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1515-rc8b-zbbm"},{"vulnerability":"VCID-fgne-j33v-2fhv"},{"vulnerability":"VCID-jjry-usfr-dqfy"},{"vulnerability":"VCID-jx85-npqm-tucj"},{"vulnerability":"VCID-xbxs-euz1-qfhe"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.26"}],"aliases":["GHSA-44m4-9cjp-j587","GMS-2022-23"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6bux-9s4g-u3f7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/155180?format=json","vulnerability_id":"VCID-93qx-tphk-qbhg","summary":"An issue was discovered in eZ Platform Ibexa Kernel before 1.3.1.1. An XSS attack can occur because JavaScript code can be uploaded in a .html or .js file.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-46875","reference_id":"","reference_type":"","scores":[{"value":"0.00542","scoring_system":"epss","scoring_elements":"0.68148","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-46875"},{"reference_url":"https://github.com/ezsystems/ezpublish-kernel","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ezsystems/ezpublish-kernel"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-46875","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-46875"},{"reference_url":"https://packagist.org/packages/ezsystems/ezplatform-kernel#v1.2.5.1","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://packagist.org/packages/ezsystems/ezplatform-kernel#v1.2.5.1"},{"reference_url":"https://packagist.org/packages/ezsystems/ezpublish-kernel#v7.5.15.2","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://packagist.org/packages/ezsystems/ezpublish-kernel#v7.5.15.2"},{"reference_url":"https://github.com/ezsystems/ezpublish-kernel/commit/29fecd2afe86f763510f10c02f14962d028f311b","reference_id":"29fecd2afe86f763510f10c02f14962d028f311b","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-04T21:15:05Z/"}],"url":"https://github.com/ezsystems/ezpublish-kernel/commit/29fecd2afe86f763510f10c02f14962d028f311b"},{"reference_url":"https://github.com/advisories/GHSA-mrvj-7q4f-5p42","reference_id":"GHSA-mrvj-7q4f-5p42","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mrvj-7q4f-5p42"},{"reference_url":"https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-mrvj-7q4f-5p42","reference_id":"GHSA-mrvj-7q4f-5p42","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-04T21:15:05Z/"}],"url":"https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-mrvj-7q4f-5p42"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/381000?format=json","purl":"pkg:composer/ezsystems/ezpublish-kernel@7.5.15%2B2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.15%252B2"},{"url":"http://public2.vulnerablecode.io/api/packages/491379?format=json","purl":"pkg:composer/ezsystems/ezpublish-kernel@7.5.15.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1515-rc8b-zbbm"},{"vulnerability":"VCID-3dej-a2k6-mkfc"},{"vulnerability":"VCID-6bux-9s4g-u3f7"},{"vulnerability":"VCID-fgne-j33v-2fhv"},{"vulnerability":"VCID-jjry-usfr-dqfy"},{"vulnerability":"VCID-jx85-npqm-tucj"},{"vulnerability":"VCID-xbxs-euz1-qfhe"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.15.2"}],"aliases":["CVE-2021-46875","GHSA-mrvj-7q4f-5p42"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-93qx-tphk-qbhg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360999?format=json","vulnerability_id":"VCID-9q94-psat-5kan","summary":"Duplicate Advisory: User account enumeration in eZ Publish Ibexa Kernel\n## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-gmrf-99gw-vvwj. This link is maintained to preserve external references.\n\n## Original Description\n\nThis Security Advisory is about a vulnerability in eZ Platform v1.13, v2.5, and v3.2, and in Ibexa DXP and Ibexa Open Source v3.3. The /user/sessions endpoint can let an attacker detect if a given username or email refers to a valid account. This can be detected through differences in the response data or response time of certain requests. The fix ensures neither attack is possible. The fix is distributed via Composer.","references":[{"reference_url":"https://github.com/ezsystems/ezpublish-kernel","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ezsystems/ezpublish-kernel"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-46876","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-46876"},{"reference_url":"https://github.com/advisories/GHSA-89p3-9j8c-fqh4","reference_id":"GHSA-89p3-9j8c-fqh4","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-89p3-9j8c-fqh4"},{"reference_url":"https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-gmrf-99gw-vvwj","reference_id":"GHSA-gmrf-99gw-vvwj","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-gmrf-99gw-vvwj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/380784?format=json","purl":"pkg:composer/ezsystems/ezpublish-kernel@7.5.15%2B1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-93qx-tphk-qbhg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.15%252B1"},{"url":"http://public2.vulnerablecode.io/api/packages/488825?format=json","purl":"pkg:composer/ezsystems/ezpublish-kernel@7.5.15.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1515-rc8b-zbbm"},{"vulnerability":"VCID-3dej-a2k6-mkfc"},{"vulnerability":"VCID-6bux-9s4g-u3f7"},{"vulnerability":"VCID-93qx-tphk-qbhg"},{"vulnerability":"VCID-fgne-j33v-2fhv"},{"vulnerability":"VCID-jjry-usfr-dqfy"},{"vulnerability":"VCID-jx85-npqm-tucj"},{"vulnerability":"VCID-pjyp-wjua-9kcg"},{"vulnerability":"VCID-xbxs-euz1-qfhe"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.15.1"}],"aliases":["GHSA-89p3-9j8c-fqh4"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9q94-psat-5kan"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/155215?format=json","vulnerability_id":"VCID-bn65-ps85-1ua8","summary":"An issue was discovered in eZ Publish Ibexa Kernel before 7.5.15.1. The /user/sessions endpoint can be abused to determine account existence.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-46876","reference_id":"","reference_type":"","scores":[{"value":"0.00237","scoring_system":"epss","scoring_elements":"0.47031","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-46876"},{"reference_url":"https://github.com/ezsystems/ezpublish-kernel","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ezsystems/ezpublish-kernel"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-46876","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-46876"},{"reference_url":"https://packagist.org/packages/ezsystems/ezpublish-kernel","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://packagist.org/packages/ezsystems/ezpublish-kernel"},{"reference_url":"https://github.com/ezsystems/ezpublish-kernel/commit/b496f073c3f03707d3531a6941dc098b84e3cbed","reference_id":"b496f073c3f03707d3531a6941dc098b84e3cbed","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-05T16:41:54Z/"}],"url":"https://github.com/ezsystems/ezpublish-kernel/commit/b496f073c3f03707d3531a6941dc098b84e3cbed"},{"reference_url":"https://github.com/advisories/GHSA-gmrf-99gw-vvwj","reference_id":"GHSA-gmrf-99gw-vvwj","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gmrf-99gw-vvwj"},{"reference_url":"https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-gmrf-99gw-vvwj","reference_id":"GHSA-gmrf-99gw-vvwj","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-05T16:41:54Z/"}],"url":"https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-gmrf-99gw-vvwj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/380784?format=json","purl":"pkg:composer/ezsystems/ezpublish-kernel@7.5.15%2B1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-93qx-tphk-qbhg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.15%252B1"},{"url":"http://public2.vulnerablecode.io/api/packages/488825?format=json","purl":"pkg:composer/ezsystems/ezpublish-kernel@7.5.15.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1515-rc8b-zbbm"},{"vulnerability":"VCID-3dej-a2k6-mkfc"},{"vulnerability":"VCID-6bux-9s4g-u3f7"},{"vulnerability":"VCID-93qx-tphk-qbhg"},{"vulnerability":"VCID-fgne-j33v-2fhv"},{"vulnerability":"VCID-jjry-usfr-dqfy"},{"vulnerability":"VCID-jx85-npqm-tucj"},{"vulnerability":"VCID-pjyp-wjua-9kcg"},{"vulnerability":"VCID-xbxs-euz1-qfhe"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.15.1"}],"aliases":["CVE-2021-46876","GHSA-gmrf-99gw-vvwj"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bn65-ps85-1ua8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/171787?format=json","vulnerability_id":"VCID-fgne-j33v-2fhv","summary":"An issue was discovered in eZ Publish Ibexa Kernel before 7.5.28. Access control based on object state is mishandled.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-48367","reference_id":"","reference_type":"","scores":[{"value":"0.00428","scoring_system":"epss","scoring_elements":"0.62882","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-48367"},{"reference_url":"https://github.com/ezsystems/ezpublish-kernel","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ezsystems/ezpublish-kernel"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-48367","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-48367"},{"reference_url":"https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-5x4f-7xgq-r42x","reference_id":"GHSA-5x4f-7xgq-r42x","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-03-04T16:52:00Z/"}],"url":"https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-5x4f-7xgq-r42x"},{"reference_url":"https://github.com/advisories/GHSA-h5v2-wrhp-5v35","reference_id":"GHSA-h5v2-wrhp-5v35","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-h5v2-wrhp-5v35"},{"reference_url":"https://developers.ibexa.co/security-advisories/ibexa-sa-2022-004-ineffective-object-state-limitation-and-unauthenticated-fastly-purge","reference_id":"ibexa-sa-2022-004-ineffective-object-state-limitation-and-unauthenticated-fastly-purge","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-03-04T16:52:00Z/"}],"url":"https://developers.ibexa.co/security-advisories/ibexa-sa-2022-004-ineffective-object-state-limitation-and-unauthenticated-fastly-purge"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/20370?format=json","purl":"pkg:composer/ezsystems/ezpublish-kernel@7.5.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1515-rc8b-zbbm"},{"vulnerability":"VCID-jjry-usfr-dqfy"},{"vulnerability":"VCID-xbxs-euz1-qfhe"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.28"}],"aliases":["CVE-2022-48367","GHSA-h5v2-wrhp-5v35"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fgne-j33v-2fhv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/171956?format=json","vulnerability_id":"VCID-jjry-usfr-dqfy","summary":"An issue was discovered in eZ Platform Ibexa Kernel before 1.3.19. It allows determining account existence via a timing attack.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-48366","reference_id":"","reference_type":"","scores":[{"value":"0.0023","scoring_system":"epss","scoring_elements":"0.45977","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-48366"},{"reference_url":"https://github.com/ezsystems/ezplatform-kernel","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ezsystems/ezplatform-kernel"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-48366","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-48366"},{"reference_url":"https://github.com/ezsystems/ezplatform-kernel/security/advisories/GHSA-342c-vcff-2ff2","reference_id":"GHSA-342c-vcff-2ff2","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-04T16:53:33Z/"}],"url":"https://github.com/ezsystems/ezplatform-kernel/security/advisories/GHSA-342c-vcff-2ff2"},{"reference_url":"https://github.com/advisories/GHSA-66m4-gc8h-hpjx","reference_id":"GHSA-66m4-gc8h-hpjx","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-66m4-gc8h-hpjx"},{"reference_url":"https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-xfqg-p48g-hh94","reference_id":"GHSA-xfqg-p48g-hh94","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-04T16:53:33Z/"}],"url":"https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-xfqg-p48g-hh94"},{"reference_url":"https://developers.ibexa.co/security-advisories/ibexa-sa-2022-006-vulnerabilities-in-page-builder-login-and-commerce","reference_id":"ibexa-sa-2022-006-vulnerabilities-in-page-builder-login-and-commerce","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-04T16:53:33Z/"}],"url":"https://developers.ibexa.co/security-advisories/ibexa-sa-2022-006-vulnerabilities-in-page-builder-login-and-commerce"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/24388?format=json","purl":"pkg:composer/ezsystems/ezpublish-kernel@7.5.29","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1515-rc8b-zbbm"},{"vulnerability":"VCID-xbxs-euz1-qfhe"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.29"}],"aliases":["CVE-2022-48366","GHSA-66m4-gc8h-hpjx"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jjry-usfr-dqfy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/209017?format=json","vulnerability_id":"VCID-jx85-npqm-tucj","summary":"Object state limitation has no effect","references":[{"reference_url":"https://github.com/ezsystems/ezpublish-kernel","reference_id":"","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ezsystems/ezpublish-kernel"},{"reference_url":"https://github.com/ezsystems/ezpublish-kernel/commit/133c33cbcaa330953d6283865153f3dfdc7a2e45","reference_id":"","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ezsystems/ezpublish-kernel/commit/133c33cbcaa330953d6283865153f3dfdc7a2e45"},{"reference_url":"https://github.com/advisories/GHSA-5x4f-7xgq-r42x","reference_id":"GHSA-5x4f-7xgq-r42x","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5x4f-7xgq-r42x"},{"reference_url":"https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-5x4f-7xgq-r42x","reference_id":"GHSA-5x4f-7xgq-r42x","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-5x4f-7xgq-r42x"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/20370?format=json","purl":"pkg:composer/ezsystems/ezpublish-kernel@7.5.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1515-rc8b-zbbm"},{"vulnerability":"VCID-jjry-usfr-dqfy"},{"vulnerability":"VCID-xbxs-euz1-qfhe"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.28"}],"aliases":["GHSA-5x4f-7xgq-r42x","GMS-2022-1046"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jx85-npqm-tucj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/361025?format=json","vulnerability_id":"VCID-pjyp-wjua-9kcg","summary":"Duplicate Advisory: Cross Site Scripting in eZ Platform Ibexa Kernel\n## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-mrvj-7q4f-5p42. This link is maintained to preserve external references.\n\n## Original Description\n## Impact\n\nIn file upload it is possible by certain means to upload files like .html and .js. These may contain XSS exploits which will be run when links to them are accessed by victims.\nPatches\n\n## Patches\n\nThe fix consists simply of adding common types of scriptable file types to the configuration of the already existing filetype blacklist feature. See \"Patched versions\". As such, this can also be done manually, without installing the patched versions. This may be relevant if you are currently running a considerably older version of the kernel package and don't want to upgrade it at this time. Please see the settting \"ezsettings.default.io.file_storage.file_type_blacklist\" at:\nhttps://github.com/ezsystems/ezplatform-kernel/blob/master/eZ/Bundle/EzPublishCoreBundle/Resources/config/default_settings.yml#L109\nImportant note\n\n## Important note\n\nYou should adapt this setting to your needs. Do not add file types to the blacklist that you actually need to be able to upload. For instance, if you need your editors to be able to upload SVG files, then don't blacklist that. Instead, you could e.g. use an approval workflow for such content.","references":[{"reference_url":"https://github.com/ezsystems/ezpublish-kernel","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ezsystems/ezpublish-kernel"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-46875","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-46875"},{"reference_url":"https://github.com/advisories/GHSA-c737-jhwr-fqxj","reference_id":"GHSA-c737-jhwr-fqxj","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-c737-jhwr-fqxj"},{"reference_url":"https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-mrvj-7q4f-5p42","reference_id":"GHSA-mrvj-7q4f-5p42","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-mrvj-7q4f-5p42"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/381000?format=json","purl":"pkg:composer/ezsystems/ezpublish-kernel@7.5.15%2B2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.15%252B2"},{"url":"http://public2.vulnerablecode.io/api/packages/491379?format=json","purl":"pkg:composer/ezsystems/ezpublish-kernel@7.5.15.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1515-rc8b-zbbm"},{"vulnerability":"VCID-3dej-a2k6-mkfc"},{"vulnerability":"VCID-6bux-9s4g-u3f7"},{"vulnerability":"VCID-fgne-j33v-2fhv"},{"vulnerability":"VCID-jjry-usfr-dqfy"},{"vulnerability":"VCID-jx85-npqm-tucj"},{"vulnerability":"VCID-xbxs-euz1-qfhe"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.15.2"}],"aliases":["GHSA-c737-jhwr-fqxj"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pjyp-wjua-9kcg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/361040?format=json","vulnerability_id":"VCID-xbxs-euz1-qfhe","summary":"Download route allows filename change in eZpublish kernel\n### Impact\nThe route used for file downloads allows specifying the name of the downloaded file. This is an unintended side effect of the implementation, and means one could construct download URLs with filenames that have no relation to the actual file, which could lead to misunderstandings and confusion, and possibly other harm. As such it is a low severity vulnerability. It affects all supported versions of Ibexa DXP and eZ Platform, in installations where downloadable files exist.\n\n### Patches\nThe issue is fixed in all supported versions of ezsystems/ezpublish-kernel, see \"Patched versions\".\nAn advisory is also published for ezsystems/ezplatform-kernel and ibexa/core, please see those repositories.\nCommit: https://github.com/ezsystems/ezpublish-kernel/commit/142152f9bae4c4835713df0bdfe22bc98d03f9a1\n\n### Workarounds\nNone, other than blocking all downloads.\n\n### References\nhttps://developers.ibexa.co/security-advisories/ibexa-sa-2023-005-vulnerabilities-in-solr-search-and-file-downloads","references":[{"reference_url":"https://github.com/ezsystems/ezpublish-kernel","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ezsystems/ezpublish-kernel"},{"reference_url":"https://github.com/ezsystems/ezpublish-kernel/commit/142152f9bae4c4835713df0bdfe22bc98d03f9a1","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ezsystems/ezpublish-kernel/commit/142152f9bae4c4835713df0bdfe22bc98d03f9a1"},{"reference_url":"https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-946c-f9w6-2c25","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-946c-f9w6-2c25"},{"reference_url":"https://github.com/advisories/GHSA-946c-f9w6-2c25","reference_id":"GHSA-946c-f9w6-2c25","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-946c-f9w6-2c25"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/381133?format=json","purl":"pkg:composer/ezsystems/ezpublish-kernel@7.5.31","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.31"},{"url":"http://public2.vulnerablecode.io/api/packages/663768?format=json","purl":"pkg:composer/ezsystems/ezpublish-kernel@8.0.0-beta1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@8.0.0-beta1"}],"aliases":["GHSA-946c-f9w6-2c25","GMS-2023-3989"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xbxs-euz1-qfhe"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.13"}