GHSA-2vh3-cj9j-mcj5

Source

https://github.com/advisories/GHSA-2vh3-cj9j-mcj5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-2vh3-cj9j-mcj5/GHSA-2vh3-cj9j-mcj5.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-2vh3-cj9j-mcj5

Published

2024-05-15T21:29:15Z

Modified

2024-11-29T05:34:13.006366Z

Summary

eZ Publish Legacy Cross-site Scripting (XSS) in 'disabled module' error template

Details

This security advisory fixes a vulnerability in eZ Publish Legacy, and we recommend that you install it as soon as possible if you are using Legacy via the LegacyBridge.

Installations where all modules are disabled may be vulnerable to XSS injection in the module name. This is a rare configuration, but we still recommend installing the update, which adds the necessary input washing.

To install, use Composer to update to one of the "Resolving versions" mentioned above, or apply this patch manually: https://github.com/ezsystems/ezpublish-legacy/commit/4697bff700e8cf95d5847ea19dad3479a77b02d9

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-15T21:29:15Z"
}

References

Affected packages

Packagist / ezsystems/ezpublish-legacy

Package

Name: ezsystems/ezpublish-legacy
Purl: pkg:composer/ezsystems/ezpublish-legacy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2018.9.0

Fixed

2018.9.1.2

Affected versions

v2018.*

v2018.09.0

v2018.09.1

v2018.09.1.1

Packagist / ezsystems/ezpublish-legacy

Package

Name: ezsystems/ezpublish-legacy
Purl: pkg:composer/ezsystems/ezpublish-legacy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2018.6.0

Fixed

2018.6.1.3

Affected versions

v2018.*

v2018.06.0

v2018.06.1

v2018.06.1.1

v2018.06.1.2

Packagist / ezsystems/ezpublish-legacy

Package

Name: ezsystems/ezpublish-legacy
Purl: pkg:composer/ezsystems/ezpublish-legacy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2011.0.0

Fixed

2017.12.4.2

Affected versions

2013.*

2013.04.0

v2013.*

v2013.05.0

v2013.06.0

v2013.07.0

v2013.07.1

v2013.07.3

v2013.09.0

v2013.11

v2014.*

v2014.01.0

v2014.01.1

v2014.01.2

v2014.03.1

v2014.03.2

v2014.05.0

v2014.05.1

v2014.05.2

v2014.07.0

v2014.07.1

v2014.07.2

v2014.11.0

v2014.11.1

v2014.11.2

v2015.*

v2015.01.0

v2015.01.1

v2015.01.2

v2015.01.3

v2017.*

v2017.08.0

v2017.08.1

v2017.08.1.1

v2017.10.0-RC1

v2017.10.0

v2017.10.1

v2017.12.0

v2017.12.1

v2017.12.1.1

v2017.12.2

v2017.12.2.1

v2017.12.2.2

v2017.12.3

v2017.12.3.1

v2017.12.3.2

v2017.12.4

v2017.12.4.1

Packagist / ezsystems/ezpublish-legacy

Package

Name: ezsystems/ezpublish-legacy
Purl: pkg:composer/ezsystems/ezpublish-legacy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.4.0

Fixed

5.4.12.2

Packagist / ezsystems/ezpublish-legacy

Package

Name: ezsystems/ezpublish-legacy
Purl: pkg:composer/ezsystems/ezpublish-legacy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.3.0

Fixed

5.3.12.5