GHSA-6v6p-g8cg-2hgg – ezsystems/ezplatform-admin-ui

Package

Manager: composer
Name: ezsystems/ezplatform-admin-ui
Vulnerable Version: >=1.5.0 <1.5.27

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Improper Certificate Validation in node-sass affects eZ Platform Certificate validation in node-sass 2.0.0 to 4.14.1 is disabled when requesting binaries even if the user is not specifying an alternative download path. This affects eZ Platform v2.5 only. The maintainers resolved it by replacing node-sass 4.11 with sass 1.32.13. This issue also affects ezsystems/ezplatform and ezsystems/ezplatform-page-builder.

Metadata

Created: 2022-04-01T12:56:28Z
Modified: 2022-04-01T12:56:28Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-6v6p-g8cg-2hgg/GHSA-6v6p-g8cg-2hgg.json
CWE IDs: ["CWE-295"]
Alternative ID: N/A
Finding: F163
Auto approve: 1