eZ Publish Legacy Cross-site Scripting (XSS) in 'disabled module' error template
Moderate severity
GitHub Reviewed
Published
May 15, 2024
to the GitHub Advisory Database
•
Updated May 15, 2024
Package
Affected versions
>= 2018.9.0, < 2018.9.1.2
>= 2018.6.0, < 2018.6.1.3
>= 2011.0.0, < 2017.12.4.2
>= 5.4.0, < 5.4.12.2
>= 5.3.0, < 5.3.12.5
Patched versions
2018.9.1.2
2018.6.1.3
2017.12.4.2
5.4.12.2
5.3.12.5
Description
Published to the GitHub Advisory Database
May 15, 2024
Reviewed
May 15, 2024
Last updated
May 15, 2024
This security advisory fixes a vulnerability in eZ Publish Legacy, and we recommend that you install it as soon as possible if you are using Legacy via the LegacyBridge.
Installations where all modules are disabled may be vulnerable to XSS injection in the module name. This is a rare configuration, but we still recommend installing the update, which adds the necessary input washing.
To install, use Composer to update to one of the "Resolving versions" mentioned above, or apply this patch manually:
ezsystems/ezpublish-legacy@4697bff
References