eZ Platform Admin UI Cross-site Scripting vulnerability

2024-05-1521:13:43

CWE-79

GitHub Advisory Database

github.com

ez platform

admin ui

cross-site scripting

vulnerability

xss

injection

composer

update

escaping

code

AI Score

6.8

Confidence

High

JSON

This security advisory fixes a severe vulnerability in the eZ Platform Admin UI, and we recommend that you install it as soon as possible. Parts of the Admin UI are vulnerable to XSS injection. All 2.x sites are at risk, and particularly those that allow user generated content. The update adds the necessary escaping of injected code. This resolves the issue both for code that has already been injected, and any future such code.

To install, use Composer to update “ezsystems/ezplatform-admin-ui” and “ezsystems/ezplatform-page-builder” to one of the “Resolving versions” mentioned above. (ezplatform-page-builder exists only in eZ Platform Enterprise Edition.)

Affected configurations

Vulners

Node

ezsystemsezplatform-admin-uiRange1.4.0–1.4.4

ezsystemsezplatform-admin-uiRange1.3.0–1.3.5

VendorProductVersionCPE
ezsystemsezplatform-admin-ui*cpe:2.3:a:ezsystems:ezplatform-admin-ui:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ezsystems	ezplatform-admin-ui	*	cpe:2.3:a:ezsystems:ezplatform-admin-ui::::::::

References

github.com/advisories/GHSA-q73v-79x3-jv2w

github.com/FriendsOfPHP/security-advisories/blob/master/ezsystems/ezplatform-admin-ui/CVE-2019-12139.yaml

share.ez.no/community-project/security-advisories/ezsa-2019-001-xss-in-admin-ui

web.archive.org/web/20201207160038/https://share.ez.no/community-project/security-advisories/ezsa-2019-001-xss-in-admin-ui

AI Score

6.8

Confidence

High

JSON