eZ Community » Security Advisories » EZSA-2012-006: XSS exploit on...

EZSA-2012-006: XSS exploit on eZJSCore RUN command when using Firefox

Publication date : 09/05/2012
Severity : Low
Affected versions : ezjscore 1.0 - 1.4
Resolving versions : ezjscore 1.0 - 1.5

This update fixes a security issue related to cross site scripting
(XSS) in eZ JS Core. When the ezjscore module is activated and the
ezjscnode service is accessible, an attacker can create a clickable
link consisting of an ezjscore RUN command and some javascript code.
When a Firefox user follows such a link, the javascript will be
executed with the user's access permissions. We strongly recommend
that you install the update as soon as possible.

Patch

https://github.com/ezsystems/ezjscore/commit/58854564c7b8672090c25c4b1677d08620d870f2

A Security Update with the reference EZPESU-2012-006-EZJSCORE1.x is available for eZ Publish Enterprise customers.

 

Credit

eZ Systems would like to thank Yann MICHARD at security consulting company OPPIDA for discovering and reporting this vulnerability.

36 542 Users on board!

Community Project menu

Proudly Developed with from