GHSA-mrvj-7q4f-5p42

Suggest an improvement
Source
https://github.com/advisories/GHSA-mrvj-7q4f-5p42
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-mrvj-7q4f-5p42/GHSA-mrvj-7q4f-5p42.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-mrvj-7q4f-5p42
Published
2021-03-19T19:56:42Z
Modified
2024-12-02T05:28:04.537863Z
Summary
Cross-site scripting in eZ Platform Kernel
Details

Impact

In file upload it is possible by certain means to upload files like .html and .js. These may contain XSS exploits which will be run when links to them are accessed by victims.

Patches

The fix consists simply of adding common types of scriptable file types to the configuration of the already existing filetype blacklist feature. See "Patched versions". As such, this can also be done manually, without installing the patched versions. This may be relevant if you are currently running a considerably older version of the kernel package and don't want to upgrade it at this time. Please see the settting "ezsettings.default.io.filestorage.filetypeblacklist" at: https://github.com/ezsystems/ezplatform-kernel/blob/master/eZ/Bundle/EzPublishCoreBundle/Resources/config/defaultsettings.yml#L109

Important note

You should adapt this setting to your needs. Do not add file types to the blacklist that you actually need to be able to upload. For instance, if you need your editors to be able to upload SVG files, then don't blacklist that. Instead, you could e.g. use an approval workflow for such content.

Database specific 
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2021-03-19T19:56:16Z"
}
References

Affected packages

Packagist / ezsystems/ezpublish-kernel

Package

Name
ezsystems/ezpublish-kernel
Purl
pkg:composer/ezsystems/ezpublish-kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.13.8.2

Affected versions

5.*

5.0.0
5.1.0-stable
5.1.0-beta2
5.1.0-rc1
5.2.0-beta1
5.2.0-rc1
5.2.0

v6.*

v6.0.0-alpha1
v6.0.0-alpha2
v6.0.0-alpha3
v6.0.0-alpha4
v6.0.0-alpha5
v6.0.0-alpha6
v6.0.0-alpha7
v6.0.0-beta1
v6.0.0-beta2
v6.0.0-beta3
v6.0.0-beta4
v6.0.0-beta5
v6.0.0-beta6
v6.0.0-beta7
v6.0.0-beta8
v6.0.0-rc1
v6.0.0
v6.0.0.1
v6.0.0.2
v6.0.1
v6.0.1.1
v6.0.1.2
v6.0.1.3
v6.0.1.4
v6.0.1.5
v6.0.1.6
v6.0.1.7
v6.1.0-rc1
v6.1.0
v6.1.1
v6.1.1.1
v6.2.0-rc1
v6.2.0-rc2
v6.2.0-rc3
v6.2.0-rc4
v6.2.0-rc5
v6.2.0
v6.2.1
v6.3.0-beta1
v6.3.0-rc1
v6.3.0-rc2
v6.3.0-rc3
v6.3.0
v6.3.1-rc1
v6.3.1
v6.3.2-beta1
v6.3.2-beta2
v6.3.2-beta3
v6.3.2-rc1
v6.3.2
v6.3.3-rc1
v6.3.3
v6.4.0-beta1
v6.4.0-beta2
v6.4.0-rc1
v6.4.0
v6.4.1-rc1
v6.4.1-rc2
v6.4.1
v6.4.2-rc1
v6.4.2
v6.5.0-beta1
v6.5.0-rc1
v6.5.0-rc2
v6.5.0-rc3
v6.5.0
v6.5.1-rc1
v6.5.1
v6.5.1.1
v6.5.2-rc1
v6.5.2-rc2
v6.5.2
v6.6.0-beta1
v6.6.0-beta2
v6.6.0-rc1
v6.6.0-rc2
v6.6.0
v6.6.1-rc1
v6.6.1-rc2
v6.6.1
v6.6.2-rc1
v6.6.2
v6.7.0-beta1
v6.7.0-rc1
v6.7.0
v6.7.0.1
v6.7.0.2
v6.7.0.3
v6.7.1-rc1
v6.7.1-rc2
v6.7.1
v6.7.2-rc1
v6.7.2
v6.7.3-rc1
v6.7.3
v6.7.4-rc1
v6.7.4-rc2
v6.7.4
v6.7.5-rc1
v6.7.5
v6.7.6-rc1
v6.7.6
v6.7.6.1
v6.7.6.2
v6.7.7-beta1
v6.7.7-rc1
v6.7.7-rc2
v6.7.7
v6.7.7.1
v6.7.8-rc1
v6.7.8-rc2
v6.7.8
v6.7.9
v6.7.9.1
v6.7.10-rc1
v6.7.10
v6.8.0-beta1
v6.8.0-rc1
v6.8.0
v6.8.1-rc1
v6.8.1
v6.9.0-beta1
v6.9.0-rc1
v6.9.0
v6.9.1-rc1
v6.9.1-rc2
v6.9.1
v6.10.0-beta1
v6.10.0-beta2
v6.10.0-beta3
v6.10.0-rc1
v6.10.0-rc2
v6.10.0-rc3
v6.10.0
v6.10.1-rc1
v6.10.1
v6.11.0-beta1
v6.11.0-rc1
v6.11.0
v6.11.1
v6.11.2
v6.11.3
v6.11.4
v6.11.4.1
v6.12.0-beta1
v6.12.0-beta2
v6.12.0-rc1
v6.12.0
v6.12.0.1
v6.12.0.2
v6.12.1-rc1
v6.12.1-rc2
v6.12.1-rc3
v6.12.1-rc4
v6.12.1
v6.12.1.1
v6.13.0-beta1
v6.13.0-beta2
v6.13.0-rc1
v6.13.0
v6.13.0.1
v6.13.1-rc1
v6.13.1
v6.13.1.1
v6.13.1.2
v6.13.2-beta1
v6.13.2-rc1
v6.13.2
v6.13.3-beta1
v6.13.3-rc1
v6.13.3
v6.13.4-beta1
v6.13.4-rc1
v6.13.4
v6.13.5
v6.13.5.1
v6.13.6-rc1
v6.13.6
v6.13.6.2
v6.13.6.3
v6.13.6.4
v6.13.6.5
v6.13.6.6
v6.13.7-beta1+EZP-30823.preview
v6.13.7-beta2
v6.13.8-rc1
v6.13.8
v6.13.8.1

Database specific 

{
    "last_known_affected_version_range": "<= 6.13.8.1"
}

Packagist / ezsystems/ezpublish-kernel

Package

Name
ezsystems/ezpublish-kernel
Purl
pkg:composer/ezsystems/ezpublish-kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.0.0
Fixed
7.5.15.2

Affected versions

v7.*

v7.0.0
v7.0.1
v7.0.2
v7.0.2.1
v7.0.2.2
v7.0.2.3
v7.1.0-beta1
v7.1.0-beta2
v7.1.0-rc1
v7.1.0-rc2
v7.1.0
v7.1.0.1
v7.1.0.2
v7.1.1-rc1
v7.1.1
v7.1.1.1
v7.2.0-beta1
v7.2.0-rc1
v7.2.0
v7.2.1
v7.2.2
v7.2.3
v7.2.4
v7.2.4.1
v7.2.5
v7.3.0-beta1
v7.3.0-rc1
v7.3.0-rc2
v7.3.0
v7.3.1
v7.3.2
v7.3.2.1
v7.3.3
v7.3.4
v7.3.5
v7.4.0-beta1
v7.4.0-rc1
v7.4.0
v7.4.1
v7.4.2
v7.4.3-rc1
v7.4.3
v7.4.4
v7.5.0-rc1
v7.5.0-rc2
v7.5.0-rc3
v7.5.0-rc4
v7.5.0
v7.5.1
v7.5.2
v7.5.3
v7.5.4
v7.5.5
v7.5.6-rc1
v7.5.6
v7.5.6.2
v7.5.7-rc1
v7.5.7
v7.5.7.1
v7.5.8
v7.5.9
v7.5.9.1
v7.5.10
v7.5.11
v7.5.12
v7.5.13
v7.5.14
v7.5.15
v7.5.15.1

Database specific 

{
    "last_known_affected_version_range": "<= 7.5.15.1"
}

Packagist / ezsystems/ezplatform-kernel

Package

Name
ezsystems/ezplatform-kernel
Purl
pkg:composer/ezsystems/ezplatform-kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.5.1

Affected versions

v1.*

v1.0.0-rc1
v1.0.0
v1.0.1
v1.0.1.1
v1.0.2
v1.0.2.1
v1.0.3
v1.0.4
v1.0.5
v1.1.0-beta1
v1.1.0-rc1
v1.1.0-rc2
v1.1.0
v1.1.1
v1.1.2
v1.1.3
v1.1.4
v1.1.5
v1.2.0-beta1
v1.2.0-rc1
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.2.4
v1.2.5

Database specific 

{
    "last_known_affected_version_range": "<= 1.2.5"
}

Packagist / ezsystems/ezplatform-kernel

Package

Name
ezsystems/ezplatform-kernel
Purl
pkg:composer/ezsystems/ezplatform-kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.3.0
Fixed
1.3.1.1

Affected versions

v1.*

v1.3.0
v1.3.1

Database specific 

{
    "last_known_affected_version_range": "<= 1.3.1"
}