GHSA-54p5-gxq6-j98g

Source

https://github.com/advisories/GHSA-54p5-gxq6-j98g

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-54p5-gxq6-j98g/GHSA-54p5-gxq6-j98g.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-54p5-gxq6-j98g

Aliases

CVE-2020-10806

Published

2022-05-24T17:12:08Z

Modified

2024-12-08T05:29:04.977660Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

eZ Publish Kernel and Legacy Unrestricted Upload of File with Dangerous Type

Details

eZ Publish Kernel before 5.4.14.1, 6.x before 6.13.6.2, and 7.x before 7.5.6.2 and eZ Publish Legacy before 5.4.14.1, 2017 before 2017.12.7.2, and 2019 before 2019.03.4.2 allow remote attackers to execute arbitrary code by uploading PHP code, unless the vhost configuration permits only app.php execution.

Database specific

{
    "nvd_published_at": "2020-03-22T16:15:00Z",
    "cwe_ids": [],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-25T20:57:31Z"
}

References

Affected packages

Packagist / ezsystems/ezpublish-kernel

Package

Name: ezsystems/ezpublish-kernel
Purl: pkg:composer/ezsystems/ezpublish-kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.4.14.1

Affected versions

5.*

5.0.0

5.1.0-stable

5.1.0-beta2

5.1.0-rc1

5.2.0-beta1

5.2.0-rc1

5.2.0

Packagist / ezsystems/ezpublish-legacy

Package

Name: ezsystems/ezpublish-legacy
Purl: pkg:composer/ezsystems/ezpublish-legacy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.4.14.1

Packagist / ezsystems/ezpublish-kernel

Package

Name: ezsystems/ezpublish-kernel
Purl: pkg:composer/ezsystems/ezpublish-kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0

Fixed

6.13.6.2

Affected versions

v6.*

v6.0.0-alpha1

v6.0.0-alpha2

v6.0.0-alpha3

v6.0.0-alpha4

v6.0.0-alpha5

v6.0.0-alpha6

v6.0.0-alpha7

v6.0.0-beta1

v6.0.0-beta2

v6.0.0-beta3

v6.0.0-beta4

v6.0.0-beta5

v6.0.0-beta6

v6.0.0-beta7

v6.0.0-beta8

v6.0.0-rc1

v6.0.0

v6.0.0.1

v6.0.0.2

v6.0.1

v6.0.1.1

v6.0.1.2

v6.0.1.3

v6.0.1.4

v6.0.1.5

v6.0.1.6

v6.0.1.7

v6.1.0-rc1

v6.1.0

v6.1.1

v6.1.1.1

v6.2.0-rc1

v6.2.0-rc2

v6.2.0-rc3

v6.2.0-rc4

v6.2.0-rc5

v6.2.0

v6.2.1

v6.3.0-beta1

v6.3.0-rc1

v6.3.0-rc2

v6.3.0-rc3

v6.3.0

v6.3.1-rc1

v6.3.1

v6.3.2-beta1

v6.3.2-beta2

v6.3.2-beta3

v6.3.2-rc1

v6.3.2

v6.3.3-rc1

v6.3.3

v6.4.0-beta1

v6.4.0-beta2

v6.4.0-rc1

v6.4.0

v6.4.1-rc1

v6.4.1-rc2

v6.4.1

v6.4.2-rc1

v6.4.2

v6.5.0-beta1

v6.5.0-rc1

v6.5.0-rc2

v6.5.0-rc3

v6.5.0

v6.5.1-rc1

v6.5.1

v6.5.1.1

v6.5.2-rc1

v6.5.2-rc2

v6.5.2

v6.6.0-beta1

v6.6.0-beta2

v6.6.0-rc1

v6.6.0-rc2

v6.6.0

v6.6.1-rc1

v6.6.1-rc2

v6.6.1

v6.6.2-rc1

v6.6.2

v6.7.0-beta1

v6.7.0-rc1

v6.7.0

v6.7.0.1

v6.7.0.2

v6.7.0.3

v6.7.1-rc1

v6.7.1-rc2

v6.7.1

v6.7.2-rc1

v6.7.2

v6.7.3-rc1

v6.7.3

v6.7.4-rc1

v6.7.4-rc2

v6.7.4

v6.7.5-rc1

v6.7.5

v6.7.6-rc1

v6.7.6

v6.7.6.1

v6.7.6.2

v6.7.7-beta1

v6.7.7-rc1

v6.7.7-rc2

v6.7.7

v6.7.7.1

v6.7.8-rc1

v6.7.8-rc2

v6.7.8

v6.7.9

v6.7.9.1

v6.7.10-rc1

v6.7.10

v6.8.0-beta1

v6.8.0-rc1

v6.8.0

v6.8.1-rc1

v6.8.1

v6.9.0-beta1

v6.9.0-rc1

v6.9.0

v6.9.1-rc1

v6.9.1-rc2

v6.9.1

v6.10.0-beta1

v6.10.0-beta2

v6.10.0-beta3

v6.10.0-rc1

v6.10.0-rc2

v6.10.0-rc3

v6.10.0

v6.10.1-rc1

v6.10.1

v6.11.0-beta1

v6.11.0-rc1

v6.11.0

v6.11.1

v6.11.2

v6.11.3

v6.11.4

v6.11.4.1

v6.12.0-beta1

v6.12.0-beta2

v6.12.0-rc1

v6.12.0

v6.12.0.1

v6.12.0.2

v6.12.1-rc1

v6.12.1-rc2

v6.12.1-rc3

v6.12.1-rc4

v6.12.1

v6.12.1.1

v6.13.0-beta1

v6.13.0-beta2

v6.13.0-rc1

v6.13.0

v6.13.0.1

v6.13.1-rc1

v6.13.1

v6.13.1.1

v6.13.1.2

v6.13.2-beta1

v6.13.2-rc1

v6.13.2

v6.13.3-beta1

v6.13.3-rc1

v6.13.3

v6.13.4-beta1

v6.13.4-rc1

v6.13.4

v6.13.5

v6.13.5.1

v6.13.6-rc1

v6.13.6

Packagist / ezsystems/ezpublish-kernel

Package

Name: ezsystems/ezpublish-kernel
Purl: pkg:composer/ezsystems/ezpublish-kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.0

Fixed

7.5.6.2

Affected versions

v7.*

v7.0.0-beta1

v7.0.0-beta2

v7.0.0-beta3

v7.0.0-rc1

v7.0.0

v7.0.1

v7.0.2

v7.0.2.1

v7.0.2.2

v7.0.2.3

v7.1.0-beta1

v7.1.0-beta2

v7.1.0-rc1

v7.1.0-rc2

v7.1.0

v7.1.0.1

v7.1.0.2

v7.1.1-rc1

v7.1.1

v7.1.1.1

v7.2.0-beta1

v7.2.0-rc1

v7.2.0

v7.2.1

v7.2.2

v7.2.3

v7.2.4

v7.2.4.1

v7.2.5

v7.3.0-beta1

v7.3.0-rc1

v7.3.0-rc2

v7.3.0

v7.3.1

v7.3.2

v7.3.2.1

v7.3.3

v7.3.4

v7.3.5

v7.4.0-beta1

v7.4.0-rc1

v7.4.0

v7.4.1

v7.4.2

v7.4.3-rc1

v7.4.3

v7.4.4

v7.5.0-rc1

v7.5.0-rc2

v7.5.0-rc3

v7.5.0-rc4

v7.5.0

v7.5.1

v7.5.2

v7.5.3

v7.5.4

v7.5.5

v7.5.6-rc1

v7.5.6

Packagist / ezsystems/ezpublish-legacy

Package

Name: ezsystems/ezpublish-legacy
Purl: pkg:composer/ezsystems/ezpublish-legacy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2017

Fixed

2017.12.7.2

Affected versions

v2017.*

v2017.08.0

v2017.08.1

v2017.08.1.1

v2017.10.0-RC1

v2017.10.0

v2017.10.1

v2017.12.0

v2017.12.1

v2017.12.1.1

v2017.12.2

v2017.12.2.1

v2017.12.2.2

v2017.12.3

v2017.12.3.1

v2017.12.3.2

v2017.12.4

v2017.12.4.1

v2017.12.4.2

v2017.12.4.3

v2017.12.5

v2017.12.6

v2017.12.7

Packagist / ezsystems/ezpublish-legacy

Package

Name: ezsystems/ezpublish-legacy
Purl: pkg:composer/ezsystems/ezpublish-legacy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2019

Fixed

2019.03.4.2

Affected versions

v2019.*

v2019.03.0-rc1

v2019.03.0-rc2

v2019.03.0

v2019.03.1

v2019.03.2

v2019.03.3

v2019.03.4