eZ Community » Security Advisories » EZSA-2017-002: Image upload and...

EZSA-2017-002: Image upload and package creation vulnerabilities

Publication date : 07/03/2017
Severity : High
Affected versions : 4.5 - 5.4, all community versions at time of writing (legacy and new stack)
Resolving versions : 5.4.9.1, 5.3.11.1, and published service packs for all other supported versions

It was found that image upload was not well enough protected against malicious file uploads. The legacy package creation handler also lacked similar protection, allowing attacks through code injection. By its nature, such a vulnerability is severe, and we strongly recommend that you patch your systems as soon as possible.

We thank Markus Wulftange of Code White for bringing this important issue to our attention in a professional and responsible manner.

Patch for eZ Publish (legacy): https://github.com/ezsystems/ezpublish-legacy/commit/31dbbe1f99146bc163c90fd26be0e1a384312392
Patch for eZ Platform kernel: https://github.com/ezsystems/ezpublish-kernel/commit/1bdc6d29523d3d16bf81d68af64c15080c7dde9a

Have you found a security bug in eZ Publish or eZ Platform? See how to report it responsibly here: https://doc.ez.no/Security

36 542 Users on board!

Community Project menu

Proudly Developed with from