Cross-Site Scripting (XSS)

ezsystems/ezplatform-admin-ui is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper escaping of user-controlled input in image asset names, content language names, and future publishing features, which allows an attacker with back-office editor or administrator privilege...

EUVD-2025-34903

ezsystems/ezplatform-admin-ui has an XSS vulnerability in Cancel/Reschedule future publication modal...

Cross-site Scripting (XSS)

Overview ezsystems/ezplatform-admin-ui is a package that is part of the eZ Platform Admin UI Bundle. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the reschedule/cancel-schedule modal in the back office interface. An attacker can execute arbitrary scripts by...

EUVD-2025-29366

Malicious code in bioql PyPI...

Cross-Site Scripting (XSS)

ezsystems/ezplatform-admin-ui is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper input sanitization and failure to properly escape in editable fields within the back office, allowing malicious scripts to be stored and later executed...

GHSA-MGFG-7533-7JF6 ezsystems/ezplatform-http-cache affected by Breach with Varnish VCL

Impact This is not a vulnerability in the code per se, but included Varnish VCL templates enable compression of API and JSON messages. This is a potential case of the BREACH vulnerability, which affects HTTP compression, where secrets can be extracted through carefully crafted requests. The fix...

ezsystems/ezplatform-http-cache affected by Breach with Varnish VCL

Impact This is not a vulnerability in the code per se, but included Varnish VCL templates enable compression of API and JSON messages. This is a potential case of the BREACH vulnerability, which affects HTTP compression, where secrets can be extracted through carefully crafted requests. The fix...

PT-2024-40372 · Varnish +1 · Varnish +1

Name of the Vulnerable Software and Affected Versions: ezplatform-http-cache affected versions not specified Description: The issue is related to the BREACH vulnerability, which affects HTTP compression and can allow secrets to be extracted through carefully crafted requests. This is due to...

Cross-site Scripting (XSS)

ezsystems/ezplatform-admin-ui is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper escaping of filenames, allowing XSS payloads to be executed during file upload...

Cache Poisoning

ezsystems/ezplatform is vulnerable to cache poisoning. The vulnerability is due to the inability to prevent front-controller script inclusion in URLs when using eZ Platform Cloud or within the .platform.app.yaml configuration file. It allows an attacker to manipulate the cache and potentially ser...

Cross Site Scripting (XSS)

ezsystems/ezplatform-admin-ui is vulnerable to Cross Site Scripting XSS. The vulnerability is due to insufficient escaping of user-generated content within parts of the Admin UI, allowing attackers to inject malicious scripts that can then be executed within the context of other users' sessions o...

Brute Force Attack

ezsystems/ezplatform-user is vulnerable to Brute Force Attack. The vulnerability is due to the password reset functionality not having sufficient protections against brute force attacks, allowing attackers to repeatedly attempt different passwords to gain unauthorized access to user accounts...

Brute Force Attack

ezsystems/ezplatform-admin-ui is vulnerable to a Brute Force Attack. The vulnerability is due to a weakness in the forgotten password reset functionality, which allows excessive attempts without sufficient lockout measures...

Cross-Site Request Forgery (CSRF)

ezsystems/ezplatform is vulnerable to Cross-Site Request Forgery CSRF. The vulnerability is due to the CSRF protection which is not enabled by default., which allows attackers to perform unauthorized actions by exploiting the inactive CSRF token...

Access Bypass

ezsystems/ezplatform is vulnerable to Access Bypass. The vulnerability is due to inadequate rewrite rules for blocking access to executable files in the var directory when using eZ Platform Cloud on Platform.sh...

eZ Platform Admin UI is vulnerable to Cross-site Scripting (XSS)

There is an XSS vulnerability in CKEditor, which is used by AlloyEditor, which is used in eZ Platform Admin UI. Scripts can be injected through specially crafted "protected" comments. We are not sure it is exploitable in eZ Platform, but recommend installing it to be on the safe side. It is fixed...

eZ Platform Object Injection in SiteAccessMatchListener

This Security Advisory is about an object injection vulnerability in the SiteAccessMatchListener of eZ Platform, which could lead to remote code execution RCE, a very serious threat. All sites may be affected. Update: There are bugs introduced by this fix, particularly but not limited to compound...

GHSA-64VJ-933F-6PM3 eZ Platform Object Injection in SiteAccessMatchListener

This Security Advisory is about an object injection vulnerability in the SiteAccessMatchListener of eZ Platform, which could lead to remote code execution RCE, a very serious threat. All sites may be affected. Update: There are bugs introduced by this fix, particularly but not limited to compound...

GHSA-2W9P-XXQR-H253 eZ Platform Object Injection in SiteAccessMatchListener

This Security Advisory is about an object injection vulnerability in the SiteAccessMatchListener of eZ Platform, which could lead to remote code execution RCE, a very serious threat. All sites may be affected. Update: There are bugs introduced by this fix, particularly but not limited to compound...

eZ Platform Object Injection in SiteAccessMatchListener

This Security Advisory is about an object injection vulnerability in the SiteAccessMatchListener of eZ Platform, which could lead to remote code execution RCE, a very serious threat. All sites may be affected. Update: There are bugs introduced by this fix, particularly but not limited to compound...