GHSA-58h5-h554-429q – ezsystems/ezplatform-admin-ui

Package

Manager: composer
Name: ezsystems/ezplatform-admin-ui
Vulnerable Version: >=2.3.0 <2.3.26

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N/E:H/RL:U/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

ezplatform-admin-ui vulnerable to Cross-Site Scripting (XSS) It is possible to inject JavaScript XSS in the content type entries "name" and "short name". To exploit this, one must already have permission to edit content types, which limits it in many cases to people who are already administrators. However, please verify which users have this permission. The fix ensures any injections are escaped.

Metadata

Created: 2022-11-10T21:42:09Z
Modified: 2022-11-10T21:42:09Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-58h5-h554-429q/GHSA-58h5-h554-429q.json
CWE IDs: ["CWE-79"]
Alternative ID: N/A
Finding: F425
Auto approve: 1