CVE-2020-10806 – ezsystems/ezpublish-legacy

Package

Manager: composer
Name: ezsystems/ezpublish-legacy
Vulnerable Version: >=0 <5.4.14.1 || >=2017 <2017.12.7.2 || >=2019 <2019.03.4.2

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.02833 pctl0.85656

Details

eZ Publish Kernel and Legacy Unrestricted Upload of File with Dangerous Type eZ Publish Kernel before 5.4.14.1, 6.x before 6.13.6.2, and 7.x before 7.5.6.2 and eZ Publish Legacy before 5.4.14.1, 2017 before 2017.12.7.2, and 2019 before 2019.03.4.2 allow remote attackers to execute arbitrary code by uploading PHP code, unless the vhost configuration permits only app.php execution.

Metadata

Created: 2022-05-24T17:12:08Z
Modified: 2024-04-25T20:57:31Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-54p5-gxq6-j98g/GHSA-54p5-gxq6-j98g.json
CWE IDs: []
Alternative ID: GHSA-54p5-gxq6-j98g
Finding: F027
Auto approve: 1