eZ Community » Security Advisories » EZSA-2012-004: Content removal access...

EZSA-2012-004: Content removal access check issue in ezstyleeditor extension

Publication date : 26/03/2012
Severity : High
Affected versions : eZ Style Editor 1.4, 1.3, 1.2, 1.1, 1.0
Resolving versions : eZ Style Editor 1.5
References : EZSA-2012-001, EZSA-2012-002, EZSA-2012-003, EZSA-2012-005

This Security Advisory covers an issue related to image removal in the eZ Style Editor extension. An attacker may be able to delete any object, by knowing or guessing its node ID. This vulnerability can be exploited by anonymous users, and it is strongly recommended to install this patch as soon as possible.

We recommend that you disable this extension until you have installed this patch.

Patch available on Github (see link below).
A Security Update with the reference EZPESU-2012-004-EZSTYLEEDITOR1.x is available for eZ Publish Enterprise customers.

Credit

eZ Systems would like to thank Yann MICHARD at security consulting company OPPIDA for contributing information that led us to the discovery of this vulnerability.

Patch

https://github.com/ezsystems/ezstyleeditor/commit/19ca5cb77fbde32a2571db9e0b3046e46883a03f

36 542 Users on board!

Community Project menu

Proudly Developed with from