eZ Community » Security Advisories » EZSA-2013-010: XSS attack possible in...

EZSA-2013-010: XSS attack possible in content treemenu (object names not sanitized)

Publication date : 08/08/2013
Severity : Medium
Affected versions : 4.0-5.0, all community versions at time of writing
Resolving versions : 5.1 & Published service packs for supported versions

This Security Update fixes a cross site scripting (XSS) vulnerability where folder names and user group names where not properly protected against XSS injections in the left menu of the administration backend. The update ensures that such injected code cannot be executed. We strongly recommend that you install this Security Update as soon as possible.

Patches

eZ Publish: https://github.com/ezsystems/ezpublish-legacy/commit/b768d2f22bae527eaa659d16fba84c3e63507e5c

Related to EZSA-2013-011: https://github.com/ezsystems/ezpublish-legacy/commit/9928aa21d338ac077ddf96ee22e4be4b6ffe7051

Followup regression fixes related to these patches:
https://github.com/ezsystems/ezpublish-legacy/commit/809d9cf55d417777831f6f19cfee510863f39c97
https://github.com/ezsystems/ezpublish-legacy/commit/1010cafa1a938472bf4f58c9cb2208aac1a9c828

36 542 Users on board!

Community Project menu

Proudly Developed with from