Ez: >> Ez Publish Security Vulnerabilities
eZ Systems eZ Publish version 5.4.0 to 5.4.9, and 5.3.12 and older, is vulnerable to an XSS issue in the search module, resulting in a risk of attackers injecting scripts which may e.g. steal authentication credentials.
CVSS Score
6.1
EPSS Score
0.003
Published
2018-01-02
Unspecified vulnerability in ez Publish 4.1.4, 4.2, 4.3, 4.4, 4.5, and 4.6 has unknown impact and attack vectors related to an insecure direct object reference.
CVSS Score
7.5
EPSS Score
0.018
Published
2012-10-06
Cross-site request forgery (CSRF) vulnerability in eZOE flash player in eZ Publish 4.1 through 4.6 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
CVSS Score
6.8
EPSS Score
0.001
Published
2012-07-25
Cross-site scripting (XSS) vulnerability in advancedsearch.php in eZ Publish 3.7.0 through 4.2.0 allows remote attackers to inject arbitrary web script or HTML via the subTreeItem parameter.
CVSS Score
4.3
EPSS Score
0.005
Published
2010-07-08
Multiple SQL injection vulnerabilities in eZ Publish 3.7.0 through 4.2.0 allow remote attackers to execute arbitrary SQL commands via the (1) SectionID and (2) SearchTimestamp parameters to the search feature and the (3) SearchContentClassAttributeID parameter to the advancedsearch feature.
CVSS Score
7.5
EPSS Score
0.008
Published
2010-07-08
The registration view (/user/register) in eZ Publish 3.5.6 and earlier, and possibly other versions before 3.9.5, 3.10.1, and 4.0.1, allows remote attackers to gain privileges as other users via modified ContentObjectAttribute_data_user_login_30, ContentObjectAttribute_data_user_password_30, and other parameters.
CVSS Score
7.5
EPSS Score
0.024
Published
2009-07-02
eZ publish before 3.8.9, and 3.9 before 3.9.3, does not properly check permissions on module views that lack a policy function, which has unknown impact and attack vectors, as demonstrated by a vulnerability in the discount functionality in the shop module.
CVSS Score
10.0
EPSS Score
0.006
Published
2007-08-23
The tipafriend function in eZ publish before 3.8.9, and 3.9 before 3.9.3, does not limit access by anonymous users, which allows remote attackers to conduct spam attacks.
CVSS Score
5.0
EPSS Score
0.01
Published
2007-08-23
eZ publish before 3.8.1 does not properly enforce permissions for "content edit Language" when there are four or more languages, which allows remote authenticated users to perform translations into languages that are not listed in a Module Function Limitation policy.
CVSS Score
4.0
EPSS Score
0.001
Published
2007-07-06
eZ publish before 3.8.5 does not properly enforce permissions for editing in a specific language, which allows remote authenticated users to create a draft in an unauthorized language by editing an archived version of an object, and then using Manage Versions to copy this version to a new draft.
CVSS Score
4.0
EPSS Score
0.001
Published
2007-07-06
Page 1