eZ Community » Security Advisories » EZSA-2012-003: Information disclosure...

EZSA-2012-003: Information disclosure & access rights issue in eZ Publish

Publication date : 26/03/2012
Severity : Low
Affected versions : eZ Publish Enterprise 4.6, 4.5, 4.4, 4.3, 4.2, 4.1, eZ Publish Community Project 4.2011, 2011.5, 2011.6, 2011.7, 2011.8, 2011.9, 2011.10, 2011.11, 2011.12, 2012.1, 2012.2
Resolving versions : eZ Publish Enterprise 4.7, eZ Publish Community Project 2012.3
References : EZSA-2012-001, EZSA-2012-002, EZSA-2012-004, EZSA-2012-005

This Security Advisory enhances a kernel function related to the changing of priority (a sort order criteria) in node lists in eZ Publish. It will provide another line of defense if the module calling this function fails to properly ensure that the user has the required permissions to execute this action.

Patch available on Github (see link below).

A Security Update with the reference EZPESU-2012-003-KERNEL4.x is available for eZ Publish Enterprise customers.

Credit

eZ Systems would like to thank Yann MICHARD at security consulting company OPPIDA for contributing information that led us to the discovery of this vulnerability.

Patch

https://github.com/ezsystems/ezpublish/commit/e3581bb065a31d29bdc41bdba9e81abe26d8f352

36 542 Users on board!

Community Project menu

Proudly Developed with from