Ez Platform Object Injection in legacy shop module

2024-05-1521:32:29

CWE-94

GitHub Advisory Database

github.com

ez platform

object injection

legacy shop module

backend editor

discount rules

permission

medium severity

7.2 High

AI Score

Confidence

Low

JSON

This Security Advisory is about a vulnerability in the Legacy shop module. A backend editor could perform object injection in discount rules. This would require backend access and permission to edit discount rules. While object injection in itself is a serious vulnerability, the permission requirement means that normally only administrators would be able to exploit it, that’s why it was classified as Medium severity.

Affected configurations

Vulners

Node

ezsystemsezpublish-legacyRange<5.4.14.2

ezsystemsezpublish-legacyRange<2017.12.7.3

ezsystemsezpublish-legacyRange<2019.3.5.1

CPENameOperatorVersion
ezsystems/ezpublish-legacylt5.4.14.2
ezsystems/ezpublish-legacylt2017.12.7.3
ezsystems/ezpublish-legacylt2019.3.5.1

Name	Operator	Version
ezsystems/ezpublish-legacy	lt	5.4.14.2
ezsystems/ezpublish-legacy	lt	2017.12.7.3
ezsystems/ezpublish-legacy	lt	2019.3.5.1

References

ezplatform.com/security-advisories/ibexa-sa-2020-006-object-injection-in-legacy-shop-module

github.com/advisories/GHSA-39j2-4p9j-5w4j

github.com/FriendsOfPHP/security-advisories/blob/master/ezsystems/ezpublish-legacy/2020-10-05-1.yaml

7.2 High

AI Score

Confidence

Low

JSON