CVE-2021-46875
Description
An issue was discovered in eZ Platform Ibexa Kernel before 1.3.1.1. An XSS attack can occur because JavaScript code can be uploaded in a .html or .js file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting (XSS) in eZ Platform Ibexa Kernel before 1.3.1.1 allows remote attackers to execute arbitrary JavaScript by uploading .html or .js files.
Vulnerability
Details
The vulnerability resides in the eZ Platform Ibexa Kernel (ezpublish-kernel) prior to version 1.3.1.1. The software fails to properly sanitize user-uploaded files with .html or .js extensions, allowing arbitrary JavaScript code to be stored and later executed in the context of the application [1][2][4].
Exploitation
An attacker can upload a crafted .html or .js file through the file upload functionality. This can be performed by any authenticated user with upload permissions, or potentially by unauthenticated users if the upload endpoint is exposed without proper access controls. When another user views the uploaded file, the embedded JavaScript is executed in their browser, leading to XSS [4].
Impact
Successful exploitation allows the attacker to perform actions on behalf of the victim, such as stealing session cookies, modifying page content, or redirecting users to malicious sites. This can compromise the integrity and confidentiality of the affected system [4].
Mitigation
The issue is addressed in version 1.3.1.1 of the ezpublish-kernel package. Users are strongly advised to upgrade to this or a later version. The fix is included in commit [3] and available via Packagist [1]. No workarounds have been published for unpatched versions.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ezsystems/ezpublish-kernelPackagist | < 6.13.8.2 | 6.13.8.2 |
ezsystems/ezpublish-kernelPackagist | >= 7.0.0, < 7.5.15.2 | 7.5.15.2 |
ezsystems/ezplatform-kernelPackagist | < 1.2.5.1 | 1.2.5.1 |
ezsystems/ezplatform-kernelPackagist | >= 1.3.0, < 1.3.1.1 | 1.3.1.1 |
Affected products
3- eZ Platform/Ibexa Kerneldescription
- ghsa-coords2 versions
< 1.2.5.1+ 1 more
- (no CPE)range: < 1.2.5.1
- (no CPE)range: < 6.13.8.2
Patches
129fecd2afe86Merge pull request from GHSA-mrvj-7q4f-5p42
1 file changed · +10 −0
eZ/Bundle/EzPublishCoreBundle/Resources/config/default_settings.yml+10 −0 modified@@ -89,6 +89,16 @@ parameters: - pht - phtml - pgif + - hta + - htm + - html + - xhtm + - xhtml + - jar + - js + - jse + - svg + - swf # Content settings ezsettings.default.content.view_cache: true # Whether to use content view cache or not (Etag/Last-Modified based)
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-mrvj-7q4f-5p42ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-46875ghsaADVISORY
- github.com/ezsystems/ezpublish-kernel/commit/29fecd2afe86f763510f10c02f14962d028f311bghsaWEB
- github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-mrvj-7q4f-5p42ghsaWEB
- packagist.org/packages/ezsystems/ezplatform-kernelghsaWEB
- packagist.org/packages/ezsystems/ezpublish-kernelghsaWEB
News mentions
0No linked articles in our index yet.