cbcvebase.
CVE-2020-10806
published 2020-03-22

CVE-2020-10806: eZ Publish Kernel before 5.4.14.1, 6.x before 6.13.6.2, and 7.x before 7.5.6.2 and eZ Publish Legacy before 5.4.14.1, 2017 before 2017.12.7.2, and 2019 before…

PriorityP354critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.32%
81.3th percentile
eZ Publish Kernel before 5.4.14.1, 6.x before 6.13.6.2, and 7.x before 7.5.6.2 and eZ Publish Legacy before 5.4.14.1, 2017 before 2017.12.7.2, and 2019 before 2019.03.4.2 allow remote attackers to execute arbitrary code by uploading PHP code, unless the vhost configuration permits only app.php execution.

Affected

12 ranges
VendorProductVersion rangeFixed in
ezez_publish-kernel< 5.4.14.15.4.14.1
ezez_publish-kernel>= 6.0.0 < 6.13.6.26.13.6.2
ezez_publish-kernel>= 7.0.0 < 7.5.6.27.5.6.2
ezez_publish-legacy< 5.4.14.15.4.14.1
ezez_publish-legacy>= 2017.0 < 2017.12.7.22017.12.7.2
ezez_publish-legacy>= 2019.0 < 2019.03.4.22019.03.4.2
ezsystemsezpublish-kernel>= 0 < 5.4.14.15.4.14.1
ezsystemsezpublish-kernel>= 6.0 < 6.13.6.26.13.6.2
ezsystemsezpublish-kernel>= 7.0 < 7.5.6.27.5.6.2
ezsystemsezpublish-legacy>= 0 < 5.4.14.15.4.14.1
ezsystemsezpublish-legacy>= 2017 < 2017.12.7.22017.12.7.2
ezsystemsezpublish-legacy>= 2019 < 2019.03.4.22019.03.4.2

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.