GHSA-c737-jhwr-fqxj

Source

https://github.com/advisories/GHSA-c737-jhwr-fqxj

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-c737-jhwr-fqxj/GHSA-c737-jhwr-fqxj.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-c737-jhwr-fqxj

Aliases

CVE-2021-46875

Published

2023-03-12T06:30:21Z

Modified

2023-11-08T04:07:27.495696Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

Cross Site Scripting in eZ Platform Ibexa Kernel

Details

Impact

In file upload it is possible by certain means to upload files like .html and .js. These may contain XSS exploits which will be run when links to them are accessed by victims. Patches

Patches

The fix consists simply of adding common types of scriptable file types to the configuration of the already existing filetype blacklist feature. See "Patched versions". As such, this can also be done manually, without installing the patched versions. This may be relevant if you are currently running a considerably older version of the kernel package and don't want to upgrade it at this time. Please see the settting "ezsettings.default.io.filestorage.filetypeblacklist" at: https://github.com/ezsystems/ezplatform-kernel/blob/master/eZ/Bundle/EzPublishCoreBundle/Resources/config/defaultsettings.yml#L109 Important note

Important note

You should adapt this setting to your needs. Do not add file types to the blacklist that you actually need to be able to upload. For instance, if you need your editors to be able to upload SVG files, then don't blacklist that. Instead, you could e.g. use an approval workflow for such content.

Database specific

{
    "nvd_published_at": "2023-03-12T05:15:00Z",
    "github_reviewed_at": "2023-03-13T20:57:46Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-79"
    ]
}

References

Affected packages

Packagist / ezsystems/ezpublish-kernel

Package

Name: ezsystems/ezpublish-kernel
Purl: pkg:composer/ezsystems/ezpublish-kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.13.8.2

Affected versions

v6.*

v6.13.0

v6.13.0.1

v6.13.1-rc1

v6.13.1

v6.13.1.1

v6.13.1.2

v6.13.2-beta1

v6.13.2-rc1

v6.13.2

v6.13.3-beta1

v6.13.3-rc1

v6.13.3

v6.13.4-beta1

v6.13.4-rc1

v6.13.4

v6.13.5

v6.13.5.1

v6.13.6-rc1

v6.13.6

v6.13.6.2

v6.13.6.3

v6.13.6.4

v6.13.6.5

v6.13.6.6

v6.13.7-beta1+EZP-30823.preview

v6.13.7-beta2

v6.13.8-rc1

v6.13.8

v6.13.8.1

Packagist / ezsystems/ezpublish-kernel

Package

Name: ezsystems/ezpublish-kernel
Purl: pkg:composer/ezsystems/ezpublish-kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.5.0

Fixed

7.5.15.2

Affected versions

v7.*

v7.5.0

v7.5.1

v7.5.2

v7.5.3

v7.5.4

v7.5.5

v7.5.6-rc1

v7.5.6

v7.5.6.2

v7.5.7-rc1

v7.5.7

v7.5.7.1

v7.5.8

v7.5.9

v7.5.9.1

v7.5.10

v7.5.11

v7.5.12

v7.5.13

v7.5.14

v7.5.15

v7.5.15.1

Packagist / ezsystems/ezplatform-kernel

Package

Name: ezsystems/ezplatform-kernel
Purl: pkg:composer/ezsystems/ezplatform-kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.2.0

Fixed

1.2.5.1

Affected versions

v1.*

v1.2.0

v1.2.1

v1.2.2

v1.2.3

v1.2.4

v1.2.5

Packagist / ezsystems/ezplatform-kernel

Package

Name: ezsystems/ezplatform-kernel
Purl: pkg:composer/ezsystems/ezplatform-kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.3.0

Fixed

1.3.1.1

Affected versions

v1.*

v1.3.0

v1.3.1