{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54901?format=json","vulnerability_id":"VCID-qymv-b76a-2yh2","summary":"Ez Platform Object Injection in legacy shop module\nThis Security Advisory is about a vulnerability in the Legacy shop module. A backend editor could perform object injection in discount rules. This would require backend access and permission to edit discount rules. While object injection in itself is a serious vulnerability, the permission requirement means that normally only administrators would be able to exploit it, that's why it was classified as Medium severity.","aliases":[{"alias":"GHSA-39j2-4p9j-5w4j"}],"fixed_packages":[],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/56948?format=json","purl":"pkg:composer/ezsystems/ezpublish-legacy@5.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2adj-kpzr-eycv"},{"vulnerability":"VCID-6cyy-uhhk-63aa"},{"vulnerability":"VCID-a651-ayct-2fa1"},{"vulnerability":"VCID-eaqz-xw6f-6yeb"},{"vulnerability":"VCID-f41r-p9hu-hyhx"},{"vulnerability":"VCID-gnad-89bk-x7cq"},{"vulnerability":"VCID-qymv-b76a-2yh2"},{"vulnerability":"VCID-rkq7-5cdy-k7d8"},{"vulnerability":"VCID-ufw5-emg4-cqd6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@5.4.0"},{"url":"http://public2.vulnerablecode.io/api/packages/81395?format=json","purl":"pkg:composer/ezsystems/ezpublish-legacy@2017.12.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2975-xhf4-ckcj"},{"vulnerability":"VCID-6cyy-uhhk-63aa"},{"vulnerability":"VCID-bmkb-zcyd-6kdk"},{"vulnerability":"VCID-eaqz-xw6f-6yeb"},{"vulnerability":"VCID-qymv-b76a-2yh2"},{"vulnerability":"VCID-ufw5-emg4-cqd6"},{"vulnerability":"VCID-ukn1-91je-x7hw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2017.12.0"},{"url":"http://public2.vulnerablecode.io/api/packages/56951?format=json","purl":"pkg:composer/ezsystems/ezpublish-legacy@2019.3.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6cyy-uhhk-63aa"},{"vulnerability":"VCID-8zn2-ztg4-s3ex"},{"vulnerability":"VCID-qymv-b76a-2yh2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-legacy@2019.3.0"}],"references":[{"reference_url":"https://ezplatform.com/security-advisories/ibexa-sa-2020-006-object-injection-in-legacy-shop-module","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://ezplatform.com/security-advisories/ibexa-sa-2020-006-object-injection-in-legacy-shop-module"},{"reference_url":"https://github.com/ezsystems/ezpublish-legacy","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ezsystems/ezpublish-legacy"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/ezsystems/ezpublish-legacy/2020-10-05-1.yaml","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/ezsystems/ezpublish-legacy/2020-10-05-1.yaml"},{"reference_url":"https://github.com/advisories/GHSA-39j2-4p9j-5w4j","reference_id":"GHSA-39j2-4p9j-5w4j","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-39j2-4p9j-5w4j"}],"weaknesses":[{"cwe_id":94,"name":"Improper Control of Generation of Code ('Code Injection')","description":"The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."},{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."}],"exploits":[],"severity_range_score":"4.0 - 6.9","exploitability":"0.5","weighted_severity":"6.2","risk_score":3.1,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qymv-b76a-2yh2"}