CVE-2020-10806
published 2020-03-22CVE-2020-10806: eZ Publish Kernel before 5.4.14.1, 6.x before 6.13.6.2, and 7.x before 7.5.6.2 and eZ Publish Legacy before 5.4.14.1, 2017 before 2017.12.7.2, and 2019 before…
PriorityP354critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.32%
81.3th percentile
eZ Publish Kernel before 5.4.14.1, 6.x before 6.13.6.2, and 7.x before 7.5.6.2 and eZ Publish Legacy before 5.4.14.1, 2017 before 2017.12.7.2, and 2019 before 2019.03.4.2 allow remote attackers to execute arbitrary code by uploading PHP code, unless the vhost configuration permits only app.php execution.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ez | ez_publish-kernel | < 5.4.14.1 | 5.4.14.1 |
| ez | ez_publish-kernel | >= 6.0.0 < 6.13.6.2 | 6.13.6.2 |
| ez | ez_publish-kernel | >= 7.0.0 < 7.5.6.2 | 7.5.6.2 |
| ez | ez_publish-legacy | < 5.4.14.1 | 5.4.14.1 |
| ez | ez_publish-legacy | >= 2017.0 < 2017.12.7.2 | 2017.12.7.2 |
| ez | ez_publish-legacy | >= 2019.0 < 2019.03.4.2 | 2019.03.4.2 |
| ezsystems | ezpublish-kernel | >= 0 < 5.4.14.1 | 5.4.14.1 |
| ezsystems | ezpublish-kernel | >= 6.0 < 6.13.6.2 | 6.13.6.2 |
| ezsystems | ezpublish-kernel | >= 7.0 < 7.5.6.2 | 7.5.6.2 |
| ezsystems | ezpublish-legacy | >= 0 < 5.4.14.1 | 5.4.14.1 |
| ezsystems | ezpublish-legacy | >= 2017 < 2017.12.7.2 | 2017.12.7.2 |
| ezsystems | ezpublish-legacy | >= 2019 < 2019.03.4.2 | 2019.03.4.2 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
eZ Publish Kernel and Legacy Unrestricted Upload of File with Dangerous Type
osv·2022-05-24
CVE-2020-10806 [CRITICAL] eZ Publish Kernel and Legacy Unrestricted Upload of File with Dangerous Type
eZ Publish Kernel and Legacy Unrestricted Upload of File with Dangerous Type
eZ Publish Kernel before 5.4.14.1, 6.x before 6.13.6.2, and 7.x before 7.5.6.2 and eZ Publish Legacy before 5.4.14.1, 2017 before 2017.12.7.2, and 2019 before 2019.03.4.2 allow remote attackers to execute arbitrary code by uploading PHP code, unless the vhost configuration permits only app.php execution.
GHSA
eZ Publish Kernel and Legacy Unrestricted Upload of File with Dangerous Type
ghsa·2022-05-24
CVE-2020-10806 [CRITICAL] eZ Publish Kernel and Legacy Unrestricted Upload of File with Dangerous Type
eZ Publish Kernel and Legacy Unrestricted Upload of File with Dangerous Type
eZ Publish Kernel before 5.4.14.1, 6.x before 6.13.6.2, and 7.x before 7.5.6.2 and eZ Publish Legacy before 5.4.14.1, 2017 before 2017.12.7.2, and 2019 before 2019.03.4.2 allow remote attackers to execute arbitrary code by uploading PHP code, unless the vhost configuration permits only app.php execution.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2020-03-22
Published