Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/488825?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/488825?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@7.5.15.1", "type": "composer", "namespace": "ezsystems", "name": "ezpublish-kernel", "version": "7.5.15.1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "7.5.31", "latest_non_vulnerable_version": "8.0.0-beta1", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/171778?format=api", "vulnerability_id": "VCID-1515-rc8b-zbbm", "summary": "An issue was discovered in eZ Platform Ibexa Kernel before 1.3.26. The Company admin role gives excessive privileges.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-48365", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00693", "scoring_system": "epss", "scoring_elements": "0.72346", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00693", "scoring_system": "epss", "scoring_elements": "0.72435", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00693", "scoring_system": "epss", "scoring_elements": "0.72441", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00693", "scoring_system": "epss", "scoring_elements": "0.72427", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-48365" }, { "reference_url": "https://github.com/ezsystems/ezpublish-kernel", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-kernel" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48365", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48365" }, { "reference_url": "https://github.com/ezsystems/ezpublish-kernel/commit/957e67a08af2b3265753f9763943e8225ed779ab", "reference_id": "957e67a08af2b3265753f9763943e8225ed779ab", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-04T20:32:41Z/" } ], "url": "https://github.com/ezsystems/ezpublish-kernel/commit/957e67a08af2b3265753f9763943e8225ed779ab" }, { "reference_url": "https://github.com/ezsystems/ezplatform-kernel/security/advisories/GHSA-8h83-chh2-fchp", "reference_id": "GHSA-8h83-chh2-fchp", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-04T20:32:41Z/" } ], "url": "https://github.com/ezsystems/ezplatform-kernel/security/advisories/GHSA-8h83-chh2-fchp" }, { "reference_url": "https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-99r3-xmmq-7q7g", "reference_id": "GHSA-99r3-xmmq-7q7g", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-04T20:32:41Z/" } ], "url": "https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-99r3-xmmq-7q7g" }, { "reference_url": "https://github.com/advisories/GHSA-qq2j-9pf8-g58c", "reference_id": "GHSA-qq2j-9pf8-g58c", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qq2j-9pf8-g58c" }, { "reference_url": "https://developers.ibexa.co/security-advisories/ibexa-sa-2022-009-critical-vulnerabilities-in-graphql-role-assignment-ct-editing-and-drafts-tooltips", "reference_id": "ibexa-sa-2022-009-critical-vulnerabilities-in-graphql-role-assignment-ct-editing-and-drafts-tooltips", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-04T20:32:41Z/" } ], "url": "https://developers.ibexa.co/security-advisories/ibexa-sa-2022-009-critical-vulnerabilities-in-graphql-role-assignment-ct-editing-and-drafts-tooltips" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/27838?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@7.5.30", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-xbxs-euz1-qfhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.30" } ], "aliases": [ "CVE-2022-48365", "GHSA-qq2j-9pf8-g58c" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1515-rc8b-zbbm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/208232?format=api", "vulnerability_id": "VCID-3dej-a2k6-mkfc", "summary": "Code injection in ezsystems/ezpublish-kernel", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-25337", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00537", "scoring_system": "epss", "scoring_elements": "0.67968", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00537", "scoring_system": "epss", "scoring_elements": "0.68065", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00537", "scoring_system": "epss", "scoring_elements": "0.68069", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00537", "scoring_system": "epss", "scoring_elements": "0.68056", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-25337" }, { "reference_url": "https://developers.ibexa.co/security-advisories/ibexa-sa-2022-001-image-filenames-sanitization", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://developers.ibexa.co/security-advisories/ibexa-sa-2022-001-image-filenames-sanitization" }, { "reference_url": "https://github.com/ezsystems/ezpublish-kernel", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-kernel" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25337", "reference_id": "CVE-2022-25337", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25337" }, { "reference_url": "https://github.com/advisories/GHSA-xwv6-v7qx-f5jc", "reference_id": "GHSA-xwv6-v7qx-f5jc", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xwv6-v7qx-f5jc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/18763?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@7.5.26", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1515-rc8b-zbbm" }, { "vulnerability": "VCID-e7nm-tf1f-j7ax" }, { "vulnerability": "VCID-fgne-j33v-2fhv" }, { "vulnerability": "VCID-jjry-usfr-dqfy" }, { "vulnerability": "VCID-jx85-npqm-tucj" }, { "vulnerability": "VCID-qpmz-w944-skf1" }, { "vulnerability": "VCID-xbxs-euz1-qfhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.26" } ], "aliases": [ "CVE-2022-25337", "GHSA-xwv6-v7qx-f5jc" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3dej-a2k6-mkfc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/207465?format=api", "vulnerability_id": "VCID-6bux-9s4g-u3f7", "summary": "IBX-1392: Image filenames sanitization", "references": [ { "reference_url": "https://developers.ibexa.co/security-advisories/ibexa-sa-2022-001-image-filenames-sanitization", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://developers.ibexa.co/security-advisories/ibexa-sa-2022-001-image-filenames-sanitization" }, { "reference_url": "https://github.com/ezsystems/ezpublish-kernel", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-kernel" }, { "reference_url": "https://github.com/ezsystems/ezpublish-kernel/releases/tag/v7.5.26", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-kernel/releases/tag/v7.5.26" }, { "reference_url": "https://github.com/advisories/GHSA-44m4-9cjp-j587", "reference_id": "GHSA-44m4-9cjp-j587", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-44m4-9cjp-j587" }, { "reference_url": "https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-44m4-9cjp-j587", "reference_id": "GHSA-44m4-9cjp-j587", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-44m4-9cjp-j587" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/18763?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@7.5.26", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1515-rc8b-zbbm" }, { "vulnerability": "VCID-e7nm-tf1f-j7ax" }, { "vulnerability": "VCID-fgne-j33v-2fhv" }, { "vulnerability": "VCID-jjry-usfr-dqfy" }, { "vulnerability": "VCID-jx85-npqm-tucj" }, { "vulnerability": "VCID-qpmz-w944-skf1" }, { "vulnerability": "VCID-xbxs-euz1-qfhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.26" } ], "aliases": [ "GHSA-44m4-9cjp-j587", "GMS-2022-23" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6bux-9s4g-u3f7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/155180?format=api", "vulnerability_id": "VCID-93qx-tphk-qbhg", "summary": "An issue was discovered in eZ Platform Ibexa Kernel before 1.3.1.1. An XSS attack can occur because JavaScript code can be uploaded in a .html or .js file.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-46875", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00542", "scoring_system": "epss", "scoring_elements": "0.68247", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00542", "scoring_system": "epss", "scoring_elements": "0.6825", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00542", "scoring_system": "epss", "scoring_elements": "0.68237", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00542", "scoring_system": "epss", "scoring_elements": "0.68148", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-46875" }, { "reference_url": "https://github.com/ezsystems/ezpublish-kernel", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-kernel" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46875", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46875" }, { "reference_url": "https://packagist.org/packages/ezsystems/ezplatform-kernel#v1.2.5.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://packagist.org/packages/ezsystems/ezplatform-kernel#v1.2.5.1" }, { "reference_url": "https://packagist.org/packages/ezsystems/ezpublish-kernel#v7.5.15.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://packagist.org/packages/ezsystems/ezpublish-kernel#v7.5.15.2" }, { "reference_url": "https://github.com/ezsystems/ezpublish-kernel/commit/29fecd2afe86f763510f10c02f14962d028f311b", "reference_id": "29fecd2afe86f763510f10c02f14962d028f311b", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-04T21:15:05Z/" } ], "url": "https://github.com/ezsystems/ezpublish-kernel/commit/29fecd2afe86f763510f10c02f14962d028f311b" }, { "reference_url": "https://github.com/advisories/GHSA-mrvj-7q4f-5p42", "reference_id": "GHSA-mrvj-7q4f-5p42", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mrvj-7q4f-5p42" }, { "reference_url": "https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-mrvj-7q4f-5p42", "reference_id": "GHSA-mrvj-7q4f-5p42", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-04T21:15:05Z/" } ], "url": "https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-mrvj-7q4f-5p42" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/491379?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@7.5.15.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1515-rc8b-zbbm" }, { "vulnerability": "VCID-3dej-a2k6-mkfc" }, { "vulnerability": "VCID-6bux-9s4g-u3f7" }, { "vulnerability": "VCID-e7nm-tf1f-j7ax" }, { "vulnerability": "VCID-fgne-j33v-2fhv" }, { "vulnerability": "VCID-jjry-usfr-dqfy" }, { "vulnerability": "VCID-jx85-npqm-tucj" }, { "vulnerability": "VCID-qpmz-w944-skf1" }, { "vulnerability": "VCID-xbxs-euz1-qfhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.15.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/381000?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@7.5.15%2B2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.15%252B2" } ], "aliases": [ "CVE-2021-46875", "GHSA-mrvj-7q4f-5p42", "GMS-2021-111", "GMS-2021-47" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-93qx-tphk-qbhg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/211512?format=api", "vulnerability_id": "VCID-e7nm-tf1f-j7ax", "summary": "eZ Platform users with the Company admin role can assign any role to any user", "references": [ { "reference_url": "https://github.com/ezsystems/ezpublish-kernel", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-kernel" }, { "reference_url": "https://github.com/advisories/GHSA-99r3-xmmq-7q7g", "reference_id": "GHSA-99r3-xmmq-7q7g", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-99r3-xmmq-7q7g" }, { "reference_url": "https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-99r3-xmmq-7q7g", "reference_id": "GHSA-99r3-xmmq-7q7g", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-99r3-xmmq-7q7g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/27838?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@7.5.30", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-xbxs-euz1-qfhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.30" }, { "url": "http://public2.vulnerablecode.io/api/packages/663768?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@8.0.0-beta1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@8.0.0-beta1" } ], "aliases": [ "GHSA-99r3-xmmq-7q7g", "GMS-2022-6758" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-e7nm-tf1f-j7ax" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/171787?format=api", "vulnerability_id": "VCID-fgne-j33v-2fhv", "summary": "An issue was discovered in eZ Publish Ibexa Kernel before 7.5.28. Access control based on object state is mishandled.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-48367", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00428", "scoring_system": "epss", "scoring_elements": "0.62882", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00428", "scoring_system": "epss", "scoring_elements": "0.62991", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00428", "scoring_system": "epss", "scoring_elements": "0.62996", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00428", "scoring_system": "epss", "scoring_elements": "0.62983", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-48367" }, { "reference_url": "https://github.com/ezsystems/ezpublish-kernel", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-kernel" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48367", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48367" }, { "reference_url": "https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-5x4f-7xgq-r42x", "reference_id": "GHSA-5x4f-7xgq-r42x", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-03-04T16:52:00Z/" } ], "url": "https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-5x4f-7xgq-r42x" }, { "reference_url": "https://github.com/advisories/GHSA-h5v2-wrhp-5v35", "reference_id": "GHSA-h5v2-wrhp-5v35", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-h5v2-wrhp-5v35" }, { "reference_url": "https://developers.ibexa.co/security-advisories/ibexa-sa-2022-004-ineffective-object-state-limitation-and-unauthenticated-fastly-purge", "reference_id": "ibexa-sa-2022-004-ineffective-object-state-limitation-and-unauthenticated-fastly-purge", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-03-04T16:52:00Z/" } ], "url": "https://developers.ibexa.co/security-advisories/ibexa-sa-2022-004-ineffective-object-state-limitation-and-unauthenticated-fastly-purge" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/20370?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@7.5.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1515-rc8b-zbbm" }, { "vulnerability": "VCID-e7nm-tf1f-j7ax" }, { "vulnerability": "VCID-jjry-usfr-dqfy" }, { "vulnerability": "VCID-qpmz-w944-skf1" }, { "vulnerability": "VCID-xbxs-euz1-qfhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.28" } ], "aliases": [ "CVE-2022-48367", "GHSA-h5v2-wrhp-5v35" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fgne-j33v-2fhv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/171956?format=api", "vulnerability_id": "VCID-jjry-usfr-dqfy", "summary": "An issue was discovered in eZ Platform Ibexa Kernel before 1.3.19. It allows determining account existence via a timing attack.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-48366", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0023", "scoring_system": "epss", "scoring_elements": "0.45977", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0023", "scoring_system": "epss", "scoring_elements": "0.46114", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0023", "scoring_system": "epss", "scoring_elements": "0.46128", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0023", "scoring_system": "epss", "scoring_elements": "0.46121", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-48366" }, { "reference_url": "https://github.com/ezsystems/ezplatform-kernel", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezplatform-kernel" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48366", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48366" }, { "reference_url": "https://github.com/ezsystems/ezplatform-kernel/security/advisories/GHSA-342c-vcff-2ff2", "reference_id": "GHSA-342c-vcff-2ff2", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-04T16:53:33Z/" } ], "url": "https://github.com/ezsystems/ezplatform-kernel/security/advisories/GHSA-342c-vcff-2ff2" }, { "reference_url": "https://github.com/advisories/GHSA-66m4-gc8h-hpjx", "reference_id": "GHSA-66m4-gc8h-hpjx", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-66m4-gc8h-hpjx" }, { "reference_url": "https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-xfqg-p48g-hh94", "reference_id": "GHSA-xfqg-p48g-hh94", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-04T16:53:33Z/" } ], "url": "https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-xfqg-p48g-hh94" }, { "reference_url": "https://developers.ibexa.co/security-advisories/ibexa-sa-2022-006-vulnerabilities-in-page-builder-login-and-commerce", "reference_id": "ibexa-sa-2022-006-vulnerabilities-in-page-builder-login-and-commerce", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-04T16:53:33Z/" } ], "url": "https://developers.ibexa.co/security-advisories/ibexa-sa-2022-006-vulnerabilities-in-page-builder-login-and-commerce" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/24388?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@7.5.29", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1515-rc8b-zbbm" }, { "vulnerability": "VCID-e7nm-tf1f-j7ax" }, { "vulnerability": "VCID-xbxs-euz1-qfhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.29" } ], "aliases": [ "CVE-2022-48366", "GHSA-66m4-gc8h-hpjx" ], "risk_score": 1.6, "exploitability": "0.5", "weighted_severity": "3.3", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jjry-usfr-dqfy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/209017?format=api", "vulnerability_id": "VCID-jx85-npqm-tucj", "summary": "Object state limitation has no effect", "references": [ { "reference_url": "https://github.com/ezsystems/ezpublish-kernel", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-kernel" }, { "reference_url": "https://github.com/ezsystems/ezpublish-kernel/commit/133c33cbcaa330953d6283865153f3dfdc7a2e45", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-kernel/commit/133c33cbcaa330953d6283865153f3dfdc7a2e45" }, { "reference_url": "https://github.com/advisories/GHSA-5x4f-7xgq-r42x", "reference_id": "GHSA-5x4f-7xgq-r42x", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5x4f-7xgq-r42x" }, { "reference_url": "https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-5x4f-7xgq-r42x", "reference_id": "GHSA-5x4f-7xgq-r42x", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-5x4f-7xgq-r42x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/20370?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@7.5.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1515-rc8b-zbbm" }, { "vulnerability": "VCID-e7nm-tf1f-j7ax" }, { "vulnerability": "VCID-jjry-usfr-dqfy" }, { "vulnerability": "VCID-qpmz-w944-skf1" }, { "vulnerability": "VCID-xbxs-euz1-qfhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.28" } ], "aliases": [ "GHSA-5x4f-7xgq-r42x", "GMS-2022-1046" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jx85-npqm-tucj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/361025?format=api", "vulnerability_id": "VCID-pjyp-wjua-9kcg", "summary": "Duplicate Advisory: Cross Site Scripting in eZ Platform Ibexa Kernel\n## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-mrvj-7q4f-5p42. This link is maintained to preserve external references.\n\n## Original Description\n## Impact\n\nIn file upload it is possible by certain means to upload files like .html and .js. These may contain XSS exploits which will be run when links to them are accessed by victims.\nPatches\n\n## Patches\n\nThe fix consists simply of adding common types of scriptable file types to the configuration of the already existing filetype blacklist feature. See \"Patched versions\". As such, this can also be done manually, without installing the patched versions. This may be relevant if you are currently running a considerably older version of the kernel package and don't want to upgrade it at this time. Please see the settting \"ezsettings.default.io.file_storage.file_type_blacklist\" at:\nhttps://github.com/ezsystems/ezplatform-kernel/blob/master/eZ/Bundle/EzPublishCoreBundle/Resources/config/default_settings.yml#L109\nImportant note\n\n## Important note\n\nYou should adapt this setting to your needs. Do not add file types to the blacklist that you actually need to be able to upload. For instance, if you need your editors to be able to upload SVG files, then don't blacklist that. Instead, you could e.g. use an approval workflow for such content.", "references": [ { "reference_url": "https://github.com/ezsystems/ezpublish-kernel", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-kernel" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46875", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46875" }, { "reference_url": "https://github.com/advisories/GHSA-c737-jhwr-fqxj", "reference_id": "GHSA-c737-jhwr-fqxj", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-c737-jhwr-fqxj" }, { "reference_url": "https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-mrvj-7q4f-5p42", "reference_id": "GHSA-mrvj-7q4f-5p42", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-mrvj-7q4f-5p42" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/491379?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@7.5.15.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1515-rc8b-zbbm" }, { "vulnerability": "VCID-3dej-a2k6-mkfc" }, { "vulnerability": "VCID-6bux-9s4g-u3f7" }, { "vulnerability": "VCID-e7nm-tf1f-j7ax" }, { "vulnerability": "VCID-fgne-j33v-2fhv" }, { "vulnerability": "VCID-jjry-usfr-dqfy" }, { "vulnerability": "VCID-jx85-npqm-tucj" }, { "vulnerability": "VCID-qpmz-w944-skf1" }, { "vulnerability": "VCID-xbxs-euz1-qfhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.15.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/381000?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@7.5.15%2B2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.15%252B2" } ], "aliases": [ "GHSA-c737-jhwr-fqxj" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pjyp-wjua-9kcg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/210694?format=api", "vulnerability_id": "VCID-qpmz-w944-skf1", "summary": "Login timing attack in ezsystems/ezpublish-kernel", "references": [ { "reference_url": "https://github.com/ezsystems/ezpublish-kernel", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-kernel" }, { "reference_url": "https://github.com/ezsystems/ezpublish-kernel/commit/913fe17281536a91437d94e8267181ae8b57f5d5", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-kernel/commit/913fe17281536a91437d94e8267181ae8b57f5d5" }, { "reference_url": "https://issues.ibexa.co/browse/IBX-1755", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://issues.ibexa.co/browse/IBX-1755" }, { "reference_url": "https://github.com/advisories/GHSA-xfqg-p48g-hh94", "reference_id": "GHSA-xfqg-p48g-hh94", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xfqg-p48g-hh94" }, { "reference_url": "https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-xfqg-p48g-hh94", "reference_id": "GHSA-xfqg-p48g-hh94", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-xfqg-p48g-hh94" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/24388?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@7.5.29", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1515-rc8b-zbbm" }, { "vulnerability": "VCID-e7nm-tf1f-j7ax" }, { "vulnerability": "VCID-xbxs-euz1-qfhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.29" } ], "aliases": [ "GHSA-xfqg-p48g-hh94", "GMS-2022-1738" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qpmz-w944-skf1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/361040?format=api", "vulnerability_id": "VCID-xbxs-euz1-qfhe", "summary": "Download route allows filename change in eZpublish kernel\n### Impact\nThe route used for file downloads allows specifying the name of the downloaded file. This is an unintended side effect of the implementation, and means one could construct download URLs with filenames that have no relation to the actual file, which could lead to misunderstandings and confusion, and possibly other harm. As such it is a low severity vulnerability. It affects all supported versions of Ibexa DXP and eZ Platform, in installations where downloadable files exist.\n\n### Patches\nThe issue is fixed in all supported versions of ezsystems/ezpublish-kernel, see \"Patched versions\".\nAn advisory is also published for ezsystems/ezplatform-kernel and ibexa/core, please see those repositories.\nCommit: https://github.com/ezsystems/ezpublish-kernel/commit/142152f9bae4c4835713df0bdfe22bc98d03f9a1\n\n### Workarounds\nNone, other than blocking all downloads.\n\n### References\nhttps://developers.ibexa.co/security-advisories/ibexa-sa-2023-005-vulnerabilities-in-solr-search-and-file-downloads", "references": [ { "reference_url": "https://github.com/ezsystems/ezpublish-kernel", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-kernel" }, { "reference_url": "https://github.com/ezsystems/ezpublish-kernel/commit/142152f9bae4c4835713df0bdfe22bc98d03f9a1", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-kernel/commit/142152f9bae4c4835713df0bdfe22bc98d03f9a1" }, { "reference_url": "https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-946c-f9w6-2c25", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-946c-f9w6-2c25" }, { "reference_url": "https://github.com/advisories/GHSA-946c-f9w6-2c25", "reference_id": "GHSA-946c-f9w6-2c25", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-946c-f9w6-2c25" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/381133?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@7.5.31", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.31" }, { "url": "http://public2.vulnerablecode.io/api/packages/663768?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@8.0.0-beta1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@8.0.0-beta1" } ], "aliases": [ "GHSA-946c-f9w6-2c25", "GMS-2023-3989" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xbxs-euz1-qfhe" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360999?format=api", "vulnerability_id": "VCID-9q94-psat-5kan", "summary": "Duplicate Advisory: User account enumeration in eZ Publish Ibexa Kernel\n## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-gmrf-99gw-vvwj. This link is maintained to preserve external references.\n\n## Original Description\n\nThis Security Advisory is about a vulnerability in eZ Platform v1.13, v2.5, and v3.2, and in Ibexa DXP and Ibexa Open Source v3.3. The /user/sessions endpoint can let an attacker detect if a given username or email refers to a valid account. This can be detected through differences in the response data or response time of certain requests. The fix ensures neither attack is possible. The fix is distributed via Composer.", "references": [ { "reference_url": "https://github.com/ezsystems/ezpublish-kernel", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-kernel" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46876", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46876" }, { "reference_url": "https://github.com/advisories/GHSA-89p3-9j8c-fqh4", "reference_id": "GHSA-89p3-9j8c-fqh4", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-89p3-9j8c-fqh4" }, { "reference_url": "https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-gmrf-99gw-vvwj", "reference_id": "GHSA-gmrf-99gw-vvwj", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-gmrf-99gw-vvwj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/380783?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@6.13.8%2B1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-93qx-tphk-qbhg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@6.13.8%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/488813?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@6.13.8.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-93qx-tphk-qbhg" }, { "vulnerability": "VCID-pjyp-wjua-9kcg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@6.13.8.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/488825?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@7.5.15.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1515-rc8b-zbbm" }, { "vulnerability": "VCID-3dej-a2k6-mkfc" }, { "vulnerability": "VCID-6bux-9s4g-u3f7" }, { "vulnerability": "VCID-93qx-tphk-qbhg" }, { "vulnerability": "VCID-e7nm-tf1f-j7ax" }, { "vulnerability": "VCID-fgne-j33v-2fhv" }, { "vulnerability": "VCID-jjry-usfr-dqfy" }, { "vulnerability": "VCID-jx85-npqm-tucj" }, { "vulnerability": "VCID-pjyp-wjua-9kcg" }, { "vulnerability": "VCID-qpmz-w944-skf1" }, { "vulnerability": "VCID-xbxs-euz1-qfhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.15.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/380784?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@7.5.15%2B1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-93qx-tphk-qbhg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.15%252B1" } ], "aliases": [ "GHSA-89p3-9j8c-fqh4" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9q94-psat-5kan" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/155215?format=api", "vulnerability_id": "VCID-bn65-ps85-1ua8", "summary": "An issue was discovered in eZ Publish Ibexa Kernel before 7.5.15.1. The /user/sessions endpoint can be abused to determine account existence.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-46876", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00237", "scoring_system": "epss", "scoring_elements": "0.47172", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00237", "scoring_system": "epss", "scoring_elements": "0.47169", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00237", "scoring_system": "epss", "scoring_elements": "0.47187", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00237", "scoring_system": "epss", "scoring_elements": "0.47031", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-46876" }, { "reference_url": "https://github.com/ezsystems/ezpublish-kernel", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ezsystems/ezpublish-kernel" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46876", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46876" }, { "reference_url": "https://packagist.org/packages/ezsystems/ezpublish-kernel", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://packagist.org/packages/ezsystems/ezpublish-kernel" }, { "reference_url": "https://github.com/ezsystems/ezpublish-kernel/commit/b496f073c3f03707d3531a6941dc098b84e3cbed", "reference_id": "b496f073c3f03707d3531a6941dc098b84e3cbed", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-05T16:41:54Z/" } ], "url": "https://github.com/ezsystems/ezpublish-kernel/commit/b496f073c3f03707d3531a6941dc098b84e3cbed" }, { "reference_url": "https://github.com/advisories/GHSA-gmrf-99gw-vvwj", "reference_id": "GHSA-gmrf-99gw-vvwj", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gmrf-99gw-vvwj" }, { "reference_url": "https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-gmrf-99gw-vvwj", "reference_id": "GHSA-gmrf-99gw-vvwj", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-05T16:41:54Z/" } ], "url": "https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-gmrf-99gw-vvwj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/380783?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@6.13.8%2B1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-93qx-tphk-qbhg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@6.13.8%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/488813?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@6.13.8.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-93qx-tphk-qbhg" }, { "vulnerability": "VCID-pjyp-wjua-9kcg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@6.13.8.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/488825?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@7.5.15.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1515-rc8b-zbbm" }, { "vulnerability": "VCID-3dej-a2k6-mkfc" }, { "vulnerability": "VCID-6bux-9s4g-u3f7" }, { "vulnerability": "VCID-93qx-tphk-qbhg" }, { "vulnerability": "VCID-e7nm-tf1f-j7ax" }, { "vulnerability": "VCID-fgne-j33v-2fhv" }, { "vulnerability": "VCID-jjry-usfr-dqfy" }, { "vulnerability": "VCID-jx85-npqm-tucj" }, { "vulnerability": "VCID-pjyp-wjua-9kcg" }, { "vulnerability": "VCID-qpmz-w944-skf1" }, { "vulnerability": "VCID-xbxs-euz1-qfhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.15.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/380784?format=api", "purl": "pkg:composer/ezsystems/ezpublish-kernel@7.5.15%2B1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-93qx-tphk-qbhg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.15%252B1" } ], "aliases": [ "CVE-2021-46876", "GHSA-gmrf-99gw-vvwj", "GMS-2021-110" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bn65-ps85-1ua8" } ], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.15.1" }