eZ Community » Security Advisories » EZSA-2012-005: Block handling access...

EZSA-2012-005: Block handling access check issue in ezflow extension

Publication date : 26/03/2012
Severity : Medium
Affected versions : eZ Flow 2.4, 2.3, 2.2, 2.1, 2.0
Resolving versions : eZ Flow 2.4, 2.3, 2.2, 2.1, 2.0
References : EZSA-2012-001, EZSA-2012-002, EZSA-2012-003, EZSA-2012-004

This Security Advisory covers an issue related to block items in the eZ Flow extension. An attacker may be able to read protected content, and change the order of blocks, without having the right permissions. In order to exploit this, the attacker must have access to the eZ Flow functionality, which is usually a privilege only given to content contributors.

Patch available on Github (see link below).
A Security Update with the reference EZPESU-2012-005-EZFLOW2.x is available for eZ Publish Enterprise customers.

Credit

eZ Systems would like to thank Yann MICHARD at security consulting company OPPIDA for contributing information that led us to the discovery of this vulnerability.

Patch

https://github.com/ezsystems/ezflow/commit/8b7d5bd340ce36ade0cf3fb6126b4f5a82d81c41

36 542 Users on board!

Community Project menu

Proudly Developed with from