Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jNzM3LWpod3ItZnF4as4AAyDx
Cross Site Scripting in eZ Platform Ibexa Kernel
Impact
In file upload it is possible by certain means to upload files like .html and .js. These may contain XSS exploits which will be run when links to them are accessed by victims.
Patches
Patches
The fix consists simply of adding common types of scriptable file types to the configuration of the already existing filetype blacklist feature. See "Patched versions". As such, this can also be done manually, without installing the patched versions. This may be relevant if you are currently running a considerably older version of the kernel package and don't want to upgrade it at this time. Please see the settting "ezsettings.default.io.file_storage.file_type_blacklist" at:
https://github.com/ezsystems/ezplatform-kernel/blob/master/eZ/Bundle/EzPublishCoreBundle/Resources/config/default_settings.yml#L109
Important note
Important note
You should adapt this setting to your needs. Do not add file types to the blacklist that you actually need to be able to upload. For instance, if you need your editors to be able to upload SVG files, then don't blacklist that. Instead, you could e.g. use an approval workflow for such content.
Permalink: https://github.com/advisories/GHSA-c737-jhwr-fqxjJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jNzM3LWpod3ItZnF4as4AAyDx
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: almost 2 years ago
CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Percentage: 0.00078
EPSS Percentile: 0.35618
Identifiers: GHSA-c737-jhwr-fqxj, CVE-2021-46875
References:
- https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-mrvj-7q4f-5p42
- https://nvd.nist.gov/vuln/detail/CVE-2021-46875
- https://github.com/ezsystems/ezpublish-kernel/commit/29fecd2afe86f763510f10c02f14962d028f311b
- https://github.com/advisories/GHSA-c737-jhwr-fqxj
Blast Radius: 15.5
Affected Packages
packagist:ezsystems/ezplatform-kernel
Dependent packages: 114Dependent repositories: 99
Downloads: 203,338 total
Affected Version Ranges: >= 1.3.0, < 1.3.1.1, >= 1.2.0, < 1.2.5.1
Fixed in: 1.3.1.1, 1.2.5.1
All affected versions: 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.3.9, 1.3.10, 1.3.11, 1.3.12, 1.3.13, 1.3.14, 1.3.15, 1.3.16, 1.3.17, 1.3.18, 1.3.19, 1.3.20, 1.3.21, 1.3.22, 1.3.23, 1.3.24, 1.3.25, 1.3.26, 1.3.27, 1.3.28, 1.3.29, 1.3.30, 1.3.31, 1.3.32, 1.3.33, 1.3.34, 1.3.35, 1.3.36, 1.3.37, 1.3.38
All unaffected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5
packagist:ezsystems/ezpublish-kernel
Dependent packages: 230Dependent repositories: 352
Downloads: 569,514 total
Affected Version Ranges: >= 7.5.0, < 7.5.15.2, >= 6.13.0, < 6.13.8.2
Fixed in: 7.5.15.2, 6.13.8.2
All affected versions: 6.13.0, 6.13.1, 6.13.2, 6.13.3, 6.13.4, 6.13.5, 6.13.6, 6.13.8, 7.0.0, 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.4.0, 7.4.1, 7.4.2, 7.4.3, 7.4.4, 7.5.0, 7.5.1, 7.5.1-5.1, 7.5.2, 7.5.3, 7.5.4, 7.5.5, 7.5.6, 7.5.7, 7.5.8, 7.5.9, 7.5.10, 7.5.11, 7.5.12, 7.5.13, 7.5.14, 7.5.15, 7.5.16, 7.5.17, 7.5.18, 7.5.19, 7.5.20, 7.5.21, 7.5.22, 7.5.23, 7.5.24, 7.5.25, 7.5.26, 7.5.27, 7.5.28, 7.5.29, 7.5.30, 7.5.31, 2013.4.0, 2013.5.0, 2013.6.0, 2013.7.0, 2013.7.1, 2013.7.2, 2013.7.3, 2013.9.0, 2013.9.1, 2013.9.2, 2013.11.0, 2013.11.1, 2014.1.0, 2014.1.1, 2014.1.2, 2014.1.3, 2014.1.4, 2014.1.5, 2014.3.1, 2014.3.2, 2014.3.3, 2014.3.4, 2014.5.0, 2014.5.1, 2014.5.2, 2014.7.0, 2014.7.1, 2014.7.2, 2014.7.3, 2014.11.0, 2014.11.1, 2014.11.2, 2014.11.3, 2014.11.4, 2014.11.5, 2014.11.6, 2014.11.7, 2014.11.8
All unaffected versions: 5.0.0, 5.2.0, 6.0.0, 6.0.1, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.4.0, 6.4.1, 6.4.2, 6.5.0, 6.5.1, 6.5.2, 6.6.0, 6.6.1, 6.6.2, 6.7.0, 6.7.1, 6.7.2, 6.7.3, 6.7.4, 6.7.5, 6.7.6, 6.7.7, 6.7.8, 6.7.9, 6.7.10, 6.8.0, 6.8.1, 6.9.0, 6.9.1, 6.10.0, 6.10.1, 6.11.0, 6.11.1, 6.11.2, 6.11.3, 6.11.4, 6.12.0, 6.12.1