CVE-2017-1000431
Description
eZ Systems eZ Publish version 5.4.0 to 5.4.9, and 5.3.12 and older, is vulnerable to an XSS issue in the search module, resulting in a risk of attackers injecting scripts which may e.g. steal authentication credentials.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in eZ Publish search module allows attackers to inject scripts, potentially stealing credentials.
Vulnerability
An XSS vulnerability exists in the eZ Systems eZ Publish search module, affecting versions 5.4.0 to 5.4.9, and 5.3.12 and older. The issue arises from insufficient input sanitization in parameters such as SearchPageLimit, SectionID, SearchTimestamp, and SubTreeArray in the backoffice content search functionality [1][2][3]. The fix [4] shows that the application was passing unsanitized HTTP variables to the output, allowing arbitrary HTML or JavaScript injection.
Exploitation
An attacker with network access to the eZ Publish installation and the ability to craft malicious requests can inject scripts. No authentication is explicitly required for the search module, but exploitation likely depends on the user interaction; if a privileged user visits a crafted URL containing the malicious payload, the script executes in their browser context. The attacker would craft a URL with embedded JavaScript in vulnerable parameters such as SearchPageLimit or SectionID and trick a victim into clicking it [2][3].
Impact
Successful exploitation leads to cross-site scripting (XSS), which allows the attacker to execute arbitrary JavaScript in the victim's browser. This can result in theft of session cookies, credentials, or other sensitive data, and potentially perform actions on behalf of the victim, compromising confidentiality and integrity of the application and its data [1][2].
Mitigation
The fix was applied in commit c7174295fa0b9bd81bd4af908082464b0b80f278 [4]. Upgrading to a patched version, such as eZ Publish 5.4.10 or later (or applying the commit), mitigates the issue. As of the publication date, no workaround is documented beyond applying the patch. The official advisory (EZSA-2017-005) recommends updating to the fixed version [2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ezsystems/ezpublish-legacyPackagist | >= 5.4.0, < 5.4.10 | 5.4.10 |
ezsystems/ezpublish-legacyPackagist | >= 5.3.0, < 5.3.12.1 | 5.3.12.1 |
Affected products
2- Range: >=5.4.0, <=5.4.9 and <=5.3.12
Patches
1c7174295fa0bFix EZP-25481: XSS in backoffice content/search
1 file changed · +5 −5
kernel/content/search.php+5 −5 modified@@ -47,13 +47,13 @@ function pageLimit( $searchPageLimit ) if ( $http->hasVariable( 'BrowsePageLimit' ) ) { - $pageLimit = $http->variable( 'BrowsePageLimit' ); + $pageLimit = (int)$http->variable( 'BrowsePageLimit' ); } else { if ( $http->hasVariable( 'SearchPageLimit' ) ) { - $searchPageLimit = $http->variable( 'SearchPageLimit' ); + $searchPageLimit = (int)$http->variable( 'SearchPageLimit' ); } $pageLimit = pageLimit( $searchPageLimit ); } @@ -71,14 +71,14 @@ function pageLimit( $searchPageLimit ) $searchSectionID = -1; if ( $http->hasVariable( "SectionID" ) ) { - $searchSectionID = $http->variable( "SectionID" ); + $searchSectionID = (int)$http->variable( "SectionID" ); } $searchTimestamp = false; if ( $http->hasVariable( 'SearchTimestamp' ) and $http->variable( 'SearchTimestamp' ) ) { - $searchTimestamp = $http->variable( 'SearchTimestamp' ); + $searchTimestamp = (int)$http->variable( 'SearchTimestamp' ); } $searchType = "fulltext"; @@ -96,7 +96,7 @@ function pageLimit( $searchPageLimit ) $subTreeList = array( $http->variable( "SubTreeArray" ) ); foreach ( $subTreeList as $subTreeItem ) { - if ( $subTreeItem > 0 ) + if ( is_numeric( $subTreeItem ) && $subTreeItem > 0 ) $subTreeArray[] = $subTreeItem; } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-m98q-p5gq-q5ffghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-1000431ghsaADVISORY
- share.ez.no/community-project/security-advisories/ezsa-2017-005-xss-issue-in-searchghsax_refsource_CONFIRMWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/ezsystems/ezpublish-legacy/CVE-2017-1000431.yamlghsaWEB
- github.com/ezsystems/ezpublish-legacy/commit/c7174295fa0b9bd81bd4af908082464b0b80f278ghsaWEB
- web.archive.org/web/20210408035246/http://share.ez.no/community-project/security-advisories/ezsa-2017-005-xss-issue-in-searchghsaWEB
News mentions
0No linked articles in our index yet.