eZ Community » Security Advisories » EZSA-2017-004: Embedded files...

EZSA-2017-004: Embedded files downloadable though they are in trash

Publication date : 07/03/2017
Severity : Low
Affected versions : 4.5 - 5.4, all community versions at time of writing (legacy only)
Resolving versions : 5.4.9.2, 5.3.11.2, and published service packs for all other supported versions

This security advisory is to fix a vulnerability where binary file content can be downloaded despite having been moved to trash, if you know the URL or are able to guess or reconstruct it. The severity is fairly low, but we still recommend installing it.

Patch for eZ Publish (legacy): https://github.com/ezsystems/ezpublish-legacy/commit/c6e34b5b5105dd2f1718deb52ebe2055b09681b5

Have you found a security bug in eZ Publish or eZ Platform? See how to report it responsibly here: https://doc.ez.no/Security

36 542 Users on board!

Community Project menu

Proudly Developed with from