CVE-2020-10806
Description
eZ Publish Kernel before 5.4.14.1, 6.x before 6.13.6.2, and 7.x before 7.5.6.2 and eZ Publish Legacy before 5.4.14.1, 2017 before 2017.12.7.2, and 2019 before 2019.03.4.2 allow remote attackers to execute arbitrary code by uploading PHP code, unless the vhost configuration permits only app.php execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
eZ Publish Kernel and Legacy allow remote authenticated users to upload and execute arbitrary PHP code if the web server vhost is not configured to restrict execution to app.php only.
Root
Cause CVE-2020-10806 is a vulnerability in eZ Publish Kernel and Legacy that allows remote code execution through file uploads. The root cause is that the file upload mechanism did not prevent uploading PHP files, and if the web server vhost configuration permits execution of any PHP file (rather than only app.php), an attacker can achieve code execution [1].
Exploitation
An attacker needs to have file upload permissions on the eZ Publish site. The vulnerability can be exploited when the recommended vhost configuration (which restricts execution to app.php) is not in use. The built-in PHP development server is always vulnerable as it lacks such restrictions [2].
Impact
Successful exploitation allows an attacker to upload arbitrary PHP code and execute it on the server, leading to full remote code execution. This can compromise the entire application and underlying infrastructure [2].
Mitigation
The vendor has released patches for the affected versions: eZ Publish Kernel 5.4.14.1, 6.13.6.2, 7.5.6.2; and eZ Publish Legacy 5.4.14.1, 2017.12.7.2, 2019.03.4.2. The fix adds a configurable blacklist for uploaded file extensions (e.g., .php) to prevent uploading executable code [2]. Using the recommended vhost configuration also provides protection.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ezsystems/ezpublish-kernelPackagist | < 5.4.14.1 | 5.4.14.1 |
ezsystems/ezpublish-legacyPackagist | < 5.4.14.1 | 5.4.14.1 |
ezsystems/ezpublish-kernelPackagist | >= 6.0, < 6.13.6.2 | 6.13.6.2 |
ezsystems/ezpublish-kernelPackagist | >= 7.0, < 7.5.6.2 | 7.5.6.2 |
ezsystems/ezpublish-legacyPackagist | >= 2017, < 2017.12.7.2 | 2017.12.7.2 |
ezsystems/ezpublish-legacyPackagist | >= 2019, < 2019.03.4.2 | 2019.03.4.2 |
Affected products
5- eZ Publish/eZ Publish Kerneldescription
- Range: <5.4.14.1, <6.13.6.2, <7.5.6.2
- Range: <5.4.14.1, <2017.12.7.2, <2019.03.4.2
- ghsa-coords2 versions
< 5.4.14.1+ 1 more
- (no CPE)range: < 5.4.14.1
- (no CPE)range: < 5.4.14.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-54p5-gxq6-j98gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-10806ghsaADVISORY
- ezplatform.com/security-advisories/ezsa-2020-001-remote-code-execution-in-file-uploadsghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.