CVE-2020-10806

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-10806

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-10806.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2020-10806

Aliases

GHSA-54p5-gxq6-j98g

Published

2020-03-22T16:15:12Z

Modified

2024-09-02T22:40:18Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

eZ Publish Kernel before 5.4.14.1, 6.x before 6.13.6.2, and 7.x before 7.5.6.2 and eZ Publish Legacy before 5.4.14.1, 2017 before 2017.12.7.2, and 2019 before 2019.03.4.2 allow remote attackers to execute arbitrary code by uploading PHP code, unless the vhost configuration permits only app.php execution.

References

https://ezplatform.com/security-advisories/ezsa-2020-001-remote-code-execution-in-file-uploads

Affected packages

Git / github.com/ezsystems/ezpublish-kernel

Affected ranges

Type: GIT
Repo: https://github.com/ezsystems/ezpublish-kernel
Events: Introduced

c10d6217b6daafa1032536c852dfe1c1acb49e5d

Fixed

296628934d22c427d97ad49f7b12149b51b5c4d2