Publication date : 09/05/2012
Severity : Low
Affected versions : ezjscore 1.0 - 1.4
Resolving versions : ezjscore 1.0 - 1.5
This update fixes a security issue related to cross site scripting
(XSS) in eZ JS Core. When the ezjscore module is activated and the
ezjscnode service is accessible, an attacker can create a clickable
executed with the user's access permissions. We strongly recommend
that you install the update as soon as possible.
A Security Update with the reference EZPESU-2012-006-EZJSCORE1.x is available for eZ Publish Enterprise customers.
eZ Systems would like to thank Yann MICHARD at security consulting company OPPIDA for discovering and reporting this vulnerability.