Packagist (Composer) package
ezsystems/ezpublish-kernel
pkg:composer/ezsystems/ezpublish-kernel
Vulnerabilities (7)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-48367 | — | >= 7.5.0, < 7.5.28 | 7.5.28 | Mar 12, 2023 | An issue was discovered in eZ Publish Ibexa Kernel before 7.5.28. Access control based on object state is mishandled. | ||
| CVE-2022-48366 | — | >= 7.5.0, < 7.5.29 | 7.5.29 | Mar 12, 2023 | An issue was discovered in eZ Platform Ibexa Kernel before 1.3.19. It allows determining account existence via a timing attack. | ||
| CVE-2022-48365 | — | >= 7.5.0, < 7.5.30 | 7.5.30 | Mar 12, 2023 | An issue was discovered in eZ Platform Ibexa Kernel before 1.3.26. The Company admin role gives excessive privileges. | ||
| CVE-2021-46876 | — | >= 6.13.0, < 6.13.8.1 | 6.13.8.1 | Mar 12, 2023 | An issue was discovered in eZ Publish Ibexa Kernel before 7.5.15.1. The /user/sessions endpoint can be abused to determine account existence. | ||
| CVE-2021-46875 | — | < 6.13.8.2 | 6.13.8.2 | Mar 12, 2023 | An issue was discovered in eZ Platform Ibexa Kernel before 1.3.1.1. An XSS attack can occur because JavaScript code can be uploaded in a .html or .js file. | ||
| CVE-2022-25337 | — | >= 7.5.0, < 7.5.26 | 7.5.26 | Feb 18, 2022 | Ibexa DXP ezsystems/ezpublish-kernel 7.5.x before 7.5.26 and 1.3.x before 1.3.12 allows injection attacks via image filenames. | ||
| CVE-2020-10806 | — | < 5.4.14.1 | 5.4.14.1 | Mar 22, 2020 | eZ Publish Kernel before 5.4.14.1, 6.x before 6.13.6.2, and 7.x before 7.5.6.2 and eZ Publish Legacy before 5.4.14.1, 2017 before 2017.12.7.2, and 2019 before 2019.03.4.2 allow remote attackers to execute arbitrary code by uploading PHP code, unless the vhost configuration permit |
- CVE-2022-48367Mar 12, 2023affected >= 7.5.0, < 7.5.28fixed 7.5.28
An issue was discovered in eZ Publish Ibexa Kernel before 7.5.28. Access control based on object state is mishandled.
- CVE-2022-48366Mar 12, 2023affected >= 7.5.0, < 7.5.29fixed 7.5.29
An issue was discovered in eZ Platform Ibexa Kernel before 1.3.19. It allows determining account existence via a timing attack.
- CVE-2022-48365Mar 12, 2023affected >= 7.5.0, < 7.5.30fixed 7.5.30
An issue was discovered in eZ Platform Ibexa Kernel before 1.3.26. The Company admin role gives excessive privileges.
- CVE-2021-46876Mar 12, 2023affected >= 6.13.0, < 6.13.8.1fixed 6.13.8.1
An issue was discovered in eZ Publish Ibexa Kernel before 7.5.15.1. The /user/sessions endpoint can be abused to determine account existence.
- CVE-2021-46875Mar 12, 2023affected < 6.13.8.2fixed 6.13.8.2
An issue was discovered in eZ Platform Ibexa Kernel before 1.3.1.1. An XSS attack can occur because JavaScript code can be uploaded in a .html or .js file.
- CVE-2022-25337Feb 18, 2022affected >= 7.5.0, < 7.5.26fixed 7.5.26
Ibexa DXP ezsystems/ezpublish-kernel 7.5.x before 7.5.26 and 1.3.x before 1.3.12 allows injection attacks via image filenames.
- CVE-2020-10806Mar 22, 2020affected < 5.4.14.1fixed 5.4.14.1
eZ Publish Kernel before 5.4.14.1, 6.x before 6.13.6.2, and 7.x before 7.5.6.2 and eZ Publish Legacy before 5.4.14.1, 2017 before 2017.12.7.2, and 2019 before 2019.03.4.2 allow remote attackers to execute arbitrary code by uploading PHP code, unless the vhost configuration permit