Ez Platform Object Injection in legacy shop module

2024-05-1521:32:29

Google

osv.dev

ez platform

object injection

legacy shop module

discount rules

medium severity

backend access

permission

administrators

7.2 High

AI Score

Confidence

Low

JSON

This Security Advisory is about a vulnerability in the Legacy shop module. A backend editor could perform object injection in discount rules. This would require backend access and permission to edit discount rules. While object injection in itself is a serious vulnerability, the permission requirement means that normally only administrators would be able to exploit it, that’s why it was classified as Medium severity.

CPENameOperatorVersion
ezsystems/ezpublish-legacyeq2019.03.3
ezsystems/ezpublish-legacyeq2017.12.3
ezsystems/ezpublish-legacyeq2019.03.4.2
ezsystems/ezpublish-legacyeq2017.12.7.2
ezsystems/ezpublish-legacyeq2017.12.2.1
ezsystems/ezpublish-legacyeq2017.12.2.2
ezsystems/ezpublish-legacyeq2017.12.5
ezsystems/ezpublish-legacyeq2019.03.0
ezsystems/ezpublish-legacyeq2019.03.1
ezsystems/ezpublish-legacyeq2017.12.1

Name	Operator	Version
ezsystems/ezpublish-legacy	eq	2019.03.3
ezsystems/ezpublish-legacy	eq	2017.12.3
ezsystems/ezpublish-legacy	eq	2019.03.4.2
ezsystems/ezpublish-legacy	eq	2017.12.7.2
ezsystems/ezpublish-legacy	eq	2017.12.2.1
ezsystems/ezpublish-legacy	eq	2017.12.2.2
ezsystems/ezpublish-legacy	eq	2017.12.5
ezsystems/ezpublish-legacy	eq	2019.03.0
ezsystems/ezpublish-legacy	eq	2019.03.1
ezsystems/ezpublish-legacy	eq	2017.12.1

Rows per page:

1-10 of 241

References

ezplatform.com/security-advisories/ibexa-sa-2020-006-object-injection-in-legacy-shop-module

github.com/ezsystems/ezpublish-legacy

github.com/FriendsOfPHP/security-advisories/blob/master/ezsystems/ezpublish-legacy/2020-10-05-1.yaml

7.2 High

AI Score

Confidence

Low

JSON