Описание
eZ Platform Object Injection in SiteAccessMatchListener
This Security Advisory is about an object injection vulnerability in the SiteAccessMatchListener of eZ Platform, which could lead to remote code execution (RCE), a very serious threat. All sites may be affected.
Update: There are bugs introduced by this fix, particularly but not limited to compound siteaccess matchers. These have been fixed in ezsystems/ezplatform-kernel v1.0.3, and in ezsystems/ezpublish-kernel v7.5.8, v6.13.6.4, and v5.4.15.
Пакеты
Наименование
ezsystems/ezpublish-kernel
composer
Затронутые версииВерсия исправления
>= 7.5.0, < 7.5.8
7.5.8
Наименование
ezsystems/ezpublish-kernel
composer
Затронутые версииВерсия исправления
>= 6.13.0, < 6.13.6.4
6.13.6.4
Наименование
ezsystems/ezpublish-kernel
composer
Затронутые версииВерсия исправления
>= 5.4.0, < 5.4.15
5.4.15
Дефекты
CWE-94
Дефекты
CWE-94