Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS0zOWoyLTRwOWotNXc0as4AA8IQ

Ez Platform Object Injection in legacy shop module

This Security Advisory is about a vulnerability in the Legacy shop module. A backend editor could perform object injection in discount rules. This would require backend access and permission to edit discount rules. While object injection in itself is a serious vulnerability, the permission requirement means that normally only administrators would be able to exploit it, that's why it was classified as Medium severity.

Permalink: https://github.com/advisories/GHSA-39j2-4p9j-5w4j
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zOWoyLTRwOWotNXc0as4AA8IQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 6 months ago
Updated: 6 months ago

Identifiers: GHSA-39j2-4p9j-5w4j
References:

Blast Radius: 0.0

Affected Packages

packagist:ezsystems/ezpublish-legacy

Dependent packages: 19
Dependent repositories: 71
Downloads: 237,306 total
Affected Version Ranges: >= 5.4.0, < 5.4.14.2, >= 2017.12.0, < 2017.12.7.3, >= 2019.3.0, < 2019.3.5.1
Fixed in: 5.4.14.2, 2017.12.7.3, 2019.3.5.1
All affected versions: 2017.12.0, 2017.12.1, 2017.12.2, 2017.12.3, 2017.12.4, 2017.12.5, 2017.12.6, 2017.12.7, 2018.6.0, 2018.6.1, 2018.9.0, 2018.9.1, 2018.9.2, 2018.9.3, 2018.9.4, 2018.9.5, 2019.3.0, 2019.3.1, 2019.3.2, 2019.3.3, 2019.3.4, 2019.3.5, 2019.3.6
All unaffected versions: 2013.4.0, 2013.5.0, 2013.6.0, 2013.7.0, 2013.7.1, 2013.7.3, 2013.9.0, 2014.1.0, 2014.1.1, 2014.1.2, 2014.3.1, 2014.3.2, 2014.5.0, 2014.5.1, 2014.5.2, 2014.7.0, 2014.7.1, 2014.7.2, 2014.11.0, 2014.11.1, 2014.11.2, 2015.1.0, 2015.1.1, 2015.1.2, 2015.1.3, 2017.8.0, 2017.8.1, 2017.10.0, 2017.10.1