eZ Community » Security Advisories » EZSA-2017-001: SQL injection in...

EZSA-2017-001: SQL injection in legacy ezsearchengine (update)

Publication date : 07/03/2017
Severity : High
Affected versions : 4.5 - 5.4, all community versions at time of writing (legacy only)
Resolving versions : 5.4.9.1, 5.3.11.1, and published service packs for all other supported versions

It was found that the previous fix EZSA-2016-007 for an SQL injection security breach in the "ezsearchengine" search plugin, was not complete. There were circumstances where escaping could be breached, and injection would still be possible. By its nature, such a vulnerability is potentially severe, and we strongly recommend that you patch your systems as soon as possible.

We thank Markus Wulftange of Code White for bringing this important issue to our attention in a professional and responsible manner.

Patch for eZ Publish (legacy): https://github.com/ezsystems/ezpublish-legacy/commit/874d7c0e739f7094671205dbf57335e670d97f3f

Have you found a security bug in eZ Publish or eZ Platform? See how to report it responsibly here: https://doc.ez.no/Security

36 542 Users on board!

Community Project menu

Proudly Developed with from