eZ Community » Security Advisories » EZSA-2017-003: XSS vulnerability in...

EZSA-2017-003: XSS vulnerability in eZJSCore due to CVE-2013-6780

Publication date : 07/03/2017
Severity : High
Affected versions : 4.5 - 5.4, all community versions at time of writing (legacy only)
Resolving versions : 5.4.9.2, 5.3.11.2, and published service packs for all other supported versions
References : https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6780

This security advisory is to fix cross-site scripting (XSS) vulnerability CVE-2013-6780 in eZ Multiupload. This affects the Flash-based uploader.swf file in YUI, and allows javascript to be injected. YUI has removed the Flash file they hosted from YUI 2.x. The issue is solved by upgrading our use of YUI from 2.x to 3.x, and replace Flash upload functionality with HTML5. If you use the multiupload functionality we strongly recommend that you install this Security Update as soon as possible. If you don't use multiupload, please install the update and/or disable the extension. To be fully certain that the vulnerability in the Flash-based uploader.swf cannot be exploited, it should be deleted.

To clarify, there are 3 steps to this:
1. Upgrade YUI from 2 to 3
2. Replace the Flash multiuploader with HTML5
3. Remove the old uploader.swf Flash file

If your installation is up to date, then steps 1 and 2 are already done, and only step 3 remains. Below are the patches for all situations, including for 4.x sites where eZ JS Core had it's own separate repository. 5.x sites can disregard patches for that repository.

Patch for removing uploader.swf from eZ Publish (legacy): https://github.com/ezsystems/ezpublish-legacy/commit/93d52cf625f4c510b8ee6c2759ce38c9fe1d266e

Patch for replacing Flash with HTML5 in eZ Multiupload: https://github.com/ezsystems/ezmultiupload/commit/d48400f4f3d02fb5fd4a795223ea1bc0fa139130
and https://github.com/ezsystems/ezmultiupload/commit/2ae76eda70b3a71608d74b814531c7e9015a065e

Patch for upgrading YUI 2 to 3 in eZ JS Core (very large patch): https://github.com/ezsystems/ezjscore/commit/509829e2bcd0ad67992b197b224311fc46366c87
Patch for removing uploader.swf from eZ JS Core: https://github.com/ezsystems/ezjscore/commit/954ee25cc6852ea126c6450b71f2c315b551734e

Have you found a security bug in eZ Publish or eZ Platform? See how to report it responsibly here: https://doc.ez.no/Security

36 542 Users on board!

Community Project menu

Proudly Developed with from