Ezsystems Ezpublish-Kernel vulnerabilities

CVE-2022-48367 [CRITICAL] CWE-862 Access control issue in ezsystems/ezpublish-kernel Access control issue in ezsystems/ezpublish-kernel Access control based on object state is mishandled. This is a policy you can use in your roles to limit access to content based on specific object state values. Due to a flawed earlier update, these limitations were ineffective in releases made since February 16th 2022. They would grant access to the given content regardless of the object state. Depending on ho

CVE-2022-48365 [HIGH] CWE-269 Company admin role gives excessive privileges in eZ Platform Ibexa Company admin role gives excessive privileges in eZ Platform Ibexa Users with the Company admin role (introduced by the company account feature in v4) can assign any role to any user. This also applies to any other user that has the role / assign policy. Any subtree limitation in place does not have any effect. The role / assign policy is typically only given to administrators, which limits the sco

CVE-2022-48366 [LOW] CWE-362 Timing attack in eZ Platform Ibexa Timing attack in eZ Platform Ibexa Ibexa DXP is using random execution time to hinder timing attacks against user accounts, a method of discovering whether a given account exists in a system without knowing its password, thus affecting privacy. This implementation was found to not be good enough in some situations. The fix replaces this with constant time functionality, configured in the new security.yml parameter 'ibexa.security.a

CVE-2020-10806 [CRITICAL] eZ Publish Kernel and Legacy Unrestricted Upload of File with Dangerous Type eZ Publish Kernel and Legacy Unrestricted Upload of File with Dangerous Type eZ Publish Kernel before 5.4.14.1, 6.x before 6.13.6.2, and 7.x before 7.5.6.2 and eZ Publish Legacy before 5.4.14.1, 2017 before 2017.12.7.2, and 2019 before 2019.03.4.2 allow remote attackers to execute arbitrary code by uploading PHP code, unless the vhost configuration permits only app.php execution.

CVE-2022-25337 [CRITICAL] CWE-74 Code injection in ezsystems/ezpublish-kernel Code injection in ezsystems/ezpublish-kernel When image files are uploaded, they are made accessible under a name similar to the original file name. There are two issues with this. Both require access to uploading images in order to exploit them, this limits the impact. The first issue is that certain injection attacks can be possible, since not all possible attack vectors are removed from the original file name. The

CVE-2021-46875 [HIGH] CWE-79 Cross-site scripting in eZ Platform Kernel Cross-site scripting in eZ Platform Kernel ### Impact In file upload it is possible by certain means to upload files like .html and .js. These may contain XSS exploits which will be run when links to them are accessed by victims. ### Patches The fix consists simply of adding common types of scriptable file types to the configuration of the already existing filetype blacklist feature. See "Patched versions". As such, this c

CVE-2021-46876 [MEDIUM] CWE-203 /user/sessions endpoint allows detecting valid accounts /user/sessions endpoint allows detecting valid accounts This Security Advisory is about a vulnerability in eZ Platform v1.13, v2.5, and v3.2, and in Ibexa DXP and Ibexa Open Source v3.3. The /user/sessions endpoint can let an attacker detect if a given username or email refers to a valid account. This can be detected through differences in the response data or response time of certain requests. The fix ensur