CVE-2019-12139

Vulnerability

Description

CVE-2019-12139 is a reflected cross-site scripting (XSS) issue found in the Admin UI of eZ Platform 2.x. The vulnerability specifically affects the ezplatform-admin-ui versions 1.3.x before 1.3.5 and 1.4.x before 1.4.4, as well as ezplatform-page-builder versions 1.1.x before 1.1.5 and 1.2.x before 1.2.4 [1][2]. The root cause lies in insufficient input sanitization within the administrative interface, allowing user-controlled input to be improperly reflected in the response.

Exploitation and

Attack Surface

This XSS flaw can be exploited by an attacker without authentication, as the vulnerable components are part of the Admin UI which may be accessible to unauthenticated users in some configurations. The attack vector is through a crafted URL or other user-supplied data that, when processed by the Admin UI, injects malicious HTML or JavaScript code [1]. The attacker needs to trick a victim (likely an administrator) into clicking a specially crafted link or submitting a malicious request.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript code in the victim's browser within the context of the Admin UI. This can lead to session hijacking, defacement, sensitive data theft, or further attacks against the application [2]. Given the privileged nature of admin interfaces, the impact on confidentiality, integrity, and availability is potentially severe.

Mitigation

Status

The vulnerability has been addressed by the vendor. Users should update ezplatform-admin-ui to at least version 1.3.5 or 1.4.4, and ezplatform-page-builder to at least version 1.1.5 or 1.2.4, depending on their branch [2]. No known workarounds have been published, and the affected versions are no longer supported if not updated.