eZ Community » Security Advisories » EZSA-2012-001: Information disclosure...

EZSA-2012-001: Information disclosure & access rights issue in ezjscore extension

Publication date : 26/03/2012
Severity : High
Affected versions : eZ JS Core 1.4, 1.3, 1.2
Resolving versions : eZ JS Core 1.5
References : EZSA-2012-002, EZSA-2012-003, EZSA-2012-004, EZSA-2012-005

This Security Advisory covers an issue with content fetching, which may allow a remote exploit, depending on eZ JS Core function access policy settings. In the worst case, which is also the default setting, an anonymous attacker may be able to extract the meta data and content of any content object in the database, including user objects. It also fixes a second issue, where an attacker can change node priority (a sort order criteria) in node lists, without having edit access to the node.

We recommend that you disable this extension until you have installed this patch.

Patch available on Github (see link below).
A Security Update with the reference EZPESU-2012-001-EZJSCORE1.x is available for eZ Publish Enterprise customers.

Patch

https://github.com/ezsystems/ezjscore/commit/de5503198ffa325a4a65fbc34d396bd0f2bfbec4

Credit

eZ Systems would like to thank Yann MICHARD at security consulting company OPPIDA for discovering and reporting this vulnerability.

36 542 Users on board!

Community Project menu

Proudly Developed with from