First published: Sun Mar 22 2020(Updated: )
eZ Publish Kernel before 5.4.14.1, 6.x before 6.13.6.2, and 7.x before 7.5.6.2 and eZ Publish Legacy before 5.4.14.1, 2017 before 2017.12.7.2, and 2019 before 2019.03.4.2 allow remote attackers to execute arbitrary code by uploading PHP code, unless the vhost configuration permits only app.php execution.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Ez Ez Publish-kernel | <5.4.14.1 | |
Ez Ez Publish-kernel | >=6.0.0<6.13.6.2 | |
Ez Ez Publish-kernel | >=7.0.0<7.5.6.2 | |
Ez Ez Publish-legacy | <5.4.14.1 | |
Ez Ez Publish-legacy | >=2017.0<2017.12.7.2 | |
Ez Ez Publish-legacy | >=2019.0<2019.03.4.2 | |
composer/ezsystems/ezpublish-legacy | >=2019<2019.03.4.2 | 2019.03.4.2 |
composer/ezsystems/ezpublish-legacy | >=2017<2017.12.7.2 | 2017.12.7.2 |
composer/ezsystems/ezpublish-kernel | >=7.0<7.5.6.2 | 7.5.6.2 |
composer/ezsystems/ezpublish-kernel | >=6.0<6.13.6.2 | 6.13.6.2 |
composer/ezsystems/ezpublish-legacy | <5.4.14.1 | 5.4.14.1 |
composer/ezsystems/ezpublish-kernel | <5.4.14.1 | 5.4.14.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2020-10806 is critical with a CVSS score of 9.8.
CVE-2020-10806 affects eZ Publish Kernel versions before 5.4.14.1, 6.x before 6.13.6.2, and 7.x before 7.5.6.2.
CVE-2020-10806 affects eZ Publish Legacy versions before 5.4.14.1, 2017 before 2017.12.7.2, and 2019 before 2019.03.4.2.
Remote attackers can exploit CVE-2020-10806 by uploading PHP code, unless the vhost configuration only allows execution of app.php.
You can find more information about CVE-2020-10806 at the following reference: [link](https://ezplatform.com/security-advisories/ezsa-2020-001-remote-code-execution-in-file-uploads).