Security Advisories - ezsystems/ezpublish-kernel

ezsystems/ezpublish-kernel Security Advisories for v7.5.0-rc1 (15)

[HIGH] eZ Platform Object Injection in SiteAccessMatchListener

PKSA-f997-fdf2-12v5 GHSA-64vj-933f-6pm3

Affected version: >=5.4.0,<5.4.15|>=6.13.0,<6.13.6.4|>=7.5.0,<7.5.8

Reported by:
GitHub
[HIGH] eZ Publish Remote code execution in file uploads

PKSA-rgzv-sd54-69gs GHSA-3vwr-jj4f-h98x

Affected version: >=5.4.0,<5.4.14.1|>=6.13.0,<6.13.6.2|>=7.5.0,<7.5.6.2

Reported by:
GitHub
[LOW] Download route allows filename change in eZpublish kernel

PKSA-z67k-j82n-m783 GHSA-946c-f9w6-2c25

Affected version: >=7.5.0,<7.5.31

Reported by:
GitHub
[CRITICAL] Access control issue in ezsystems/ezpublish-kernel

PKSA-6sj4-k5qk-7xf1 CVE-2022-48367 GHSA-h5v2-wrhp-5v35

Affected version: >=7.5.0,<7.5.28

Reported by:
GitHub
[LOW] Timing attack in eZ Platform Ibexa

PKSA-6zrh-817h-wc9b CVE-2022-48366 GHSA-66m4-gc8h-hpjx

Affected version: >=7.5.0,<7.5.29

Reported by:
GitHub
[HIGH] Company admin role gives excessive privileges in eZ Platform Ibexa

PKSA-vyh4-xcqv-nk64 CVE-2022-48365 GHSA-qq2j-9pf8-g58c

Affected version: >=7.5.0,<7.5.30

Reported by:
GitHub
[MEDIUM] User account enumeration in eZ Publish Ibexa Kernel

PKSA-xy38-8tb1-r2db CVE-2021-46876 GHSA-89p3-9j8c-fqh4

Affected version: >=7.5.0,<7.5.15.1|>=6.13.0,<6.13.8.1

Reported by:
GitHub
[MEDIUM] Cross Site Scripting in eZ Platform Ibexa Kernel

PKSA-fm8v-vkhn-dc5g CVE-2021-46875 GHSA-c737-jhwr-fqxj

Affected version: >=7.5.0,<7.5.15.2|>=6.13.0,<6.13.8.2

Reported by:
GitHub
[CRITICAL] eZ Platform users with the Company admin role can assign any role to any user

PKSA-c699-v1ks-dw56 GHSA-99r3-xmmq-7q7g

Affected version: >=7.5.0,<7.5.30

Reported by:
GitHub
[CRITICAL] Login timing attack in ezsystems/ezpublish-kernel

PKSA-ns35-p1q3-5g4c GHSA-xfqg-p48g-hh94

Affected version: >=7.5.0,<7.5.29

Reported by:
GitHub
[CRITICAL] eZ Publish Kernel and Legacy Unrestricted Upload of File with Dangerous Type

PKSA-b5bw-6hbd-8dsn CVE-2020-10806 GHSA-54p5-gxq6-j98g

Affected version: >=7.0,<7.5.6.2|>=6.0,<6.13.6.2|<5.4.14.1

Reported by:
GitHub
[CRITICAL] Object state limitation has no effect

PKSA-f72h-m83w-y9bn GHSA-5x4f-7xgq-r42x

Affected version: >=7.5.0,<7.5.28

Reported by:
GitHub
[CRITICAL] Code injection in ezsystems/ezpublish-kernel

PKSA-h5v6-1rtg-7xrf CVE-2022-25337 GHSA-xwv6-v7qx-f5jc

Affected version: >=7.5.0,<7.5.26

Reported by:
GitHub
[HIGH] EZSA-2020-004 Object Injection in SiteAccessMatchListener

PKSA-b8pq-brvg-3dyp GHSA-gmrf-99gw-vvwj

Affected version: >=7.5.0,<7.5.7.1|>=6.13.0,<6.13.6.3|>=5.4.0,<5.4.14.2

Reported by:
FriendsOfPHP/security-advisories, GitHub
[HIGH] EZSA-2020-001 Remote code execution in file uploads

PKSA-25nt-psjd-9fnj GHSA-mrvj-7q4f-5p42

Affected version: >=7.5.0,<7.5.6.2|>=6.13.0,<6.13.6.2|>=5.4.0,<5.4.14.1

Reported by:
FriendsOfPHP/security-advisories, GitHub

ezsystems/ezpublish-kernel Security Advisories for v7.5.0-rc1 (15)

[HIGH] eZ Platform Object Injection in SiteAccessMatchListener

[HIGH] eZ Publish Remote code execution in file uploads

[LOW] Download route allows filename change in eZpublish kernel

[CRITICAL] Access control issue in ezsystems/ezpublish-kernel

[LOW] Timing attack in eZ Platform Ibexa

[HIGH] Company admin role gives excessive privileges in eZ Platform Ibexa

[MEDIUM] User account enumeration in eZ Publish Ibexa Kernel

[MEDIUM] Cross Site Scripting in eZ Platform Ibexa Kernel

[CRITICAL] eZ Platform users with the Company admin role can assign any role to any user

[CRITICAL] Login timing attack in ezsystems/ezpublish-kernel

[CRITICAL] eZ Publish Kernel and Legacy Unrestricted Upload of File with Dangerous Type

[CRITICAL] Object state limitation has no effect

[CRITICAL] Code injection in ezsystems/ezpublish-kernel

[HIGH] EZSA-2020-004 Object Injection in SiteAccessMatchListener

[HIGH] EZSA-2020-001 Remote code execution in file uploads