eZ Community » Security Advisories » EZSA-2012-002: Information disclosure...

EZSA-2012-002: Information disclosure issue in ezoe extension

Publication date : 26/03/2012
Severity : Medium
Affected versions : eZ Online Editor 5.4, 5.4, 5.2, 5.1, 5.0
Resolving versions : eZ Online Editor 5.5
References : EZSA-2012-001, EZSA-2012-003, EZSA-2012-004, EZSA-2012-005

This Security Advisory fixes an issue related to browsing for content objects, tagging, reading and editing in the eZ OE extension which is used by almost all eZ Publish installations. It may be possible to extract meta information about content nodes, though not the content itself, without having read access to them. In order to exploit this, the attacker must have access to the eZ Online Editor functionality, which is usually a privilege only given to content contributors.

Patch available on Github (see link below).
A Security Update with the reference EZPESU-2012-002-EZOE5.x is available for eZ Publish Enterprise customers.

Patch

https://github.com/ezsystems/ezoe/commit/6521f3917c6f160b48012340550e39a2d53e0834

Credit

eZ Systems would like to thank Yann MICHARD at security consulting company OPPIDA for contributing information that led us to the discovery of this vulnerability.

36 542 Users on board!

Community Project menu

Proudly Developed with from