Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1tOThxLXA1Z3EtcTVmZs4AAXiO

eZ Publish Cross-site Scripting (XSS) vulnerability

eZ Systems eZ Publish version 5.4.0 to 5.4.9, and 5.3.12.0 and older, is vulnerable to an XSS issue in the search module, resulting in a risk of attackers injecting scripts which may e.g. steal authentication credentials.

Permalink: https://github.com/advisories/GHSA-m98q-p5gq-q5ff
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tOThxLXA1Z3EtcTVmZs4AAXiO
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: 5 months ago

CVSS Score: 6.1
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Identifiers: GHSA-m98q-p5gq-q5ff, CVE-2017-1000431
References:

Repository: https://github.com/ezsystems/ezpublish-legacy
Blast Radius: 11.3

Affected Packages

packagist:ezsystems/ezpublish-legacy

Dependent packages: 19
Dependent repositories: 71
Downloads: 236,351 total
Affected Version Ranges: >= 5.3.0, < 5.3.12.1, >= 5.4.0, < 5.4.10
Fixed in: 5.3.12.1, 5.4.10
All affected versions:
All unaffected versions: 2013.4.0, 2013.5.0, 2013.6.0, 2013.7.0, 2013.7.1, 2013.7.3, 2013.9.0, 2014.1.0, 2014.1.1, 2014.1.2, 2014.3.1, 2014.3.2, 2014.5.0, 2014.5.1, 2014.5.2, 2014.7.0, 2014.7.1, 2014.7.2, 2014.11.0, 2014.11.1, 2014.11.2, 2015.1.0, 2015.1.1, 2015.1.2, 2015.1.3, 2017.8.0, 2017.8.1, 2017.10.0, 2017.10.1, 2017.12.0, 2017.12.1, 2017.12.2, 2017.12.3, 2017.12.4, 2017.12.5, 2017.12.6, 2017.12.7, 2018.6.0, 2018.6.1, 2018.9.0, 2018.9.1, 2018.9.2, 2018.9.3, 2018.9.4, 2018.9.5, 2019.3.0, 2019.3.1, 2019.3.2, 2019.3.3, 2019.3.4, 2019.3.5, 2019.3.6