Skip to content

Ez Platform Object Injection in legacy shop module

Moderate severity GitHub Reviewed Published May 15, 2024 to the GitHub Advisory Database • Updated May 15, 2024

Package

composer ezsystems/ezpublish-legacy (Composer)

Affected versions

>= 2019.3.0, < 2019.3.5.1
>= 2017.12.0, < 2017.12.7.3
>= 5.4.0, < 5.4.14.2

Patched versions

2019.3.5.1
2017.12.7.3
5.4.14.2

Description

This Security Advisory is about a vulnerability in the Legacy shop module. A backend editor could perform object injection in discount rules. This would require backend access and permission to edit discount rules. While object injection in itself is a serious vulnerability, the permission requirement means that normally only administrators would be able to exploit it, that's why it was classified as Medium severity.

References

Published to the GitHub Advisory Database May 15, 2024
Reviewed May 15, 2024
Last updated May 15, 2024

Severity

Moderate

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-39j2-4p9j-5w4j

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.