Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2008-6844 — Publish vulnerability

CWE-2643 documents3 sources

Severity

7.5HIGHNVD

EPSS

3.8%

top 11.88%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

EZ Publish

Timeline

PublishedJul 2

Latest updateMay 17

Description

The registration view (/user/register) in eZ Publish 3.5.6 and earlier, and possibly other versions before 3.9.5, 3.10.1, and 4.0.1, allows remote attackers to gain privileges as other users via modified ContentObjectAttribute_data_user_login_30, ContentObjectAttribute_data_user_password_30, and other parameters.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages1 packages

▶NVDez/ez_publish3.5.6+23

🔴Vulnerability Details

GHSA

GHSA-h9fw-hm8c-pxx3: The registration view (/user/register) in eZ Publish 3↗2022-05-17

▶

💥Exploits & PoCs

Exploit-DB

EZ Publish < 3.9.5/3.10.1/4.0.1 - Privilege Escalation↗2008-12-10

▶