First published: Wed May 15 2024(Updated: )
This Security Advisory is about an object injection vulnerability in the SiteAccessMatchListener of eZ Platform, which could lead to remote code execution (RCE), a very serious threat. All sites may be affected. Update: There are bugs introduced by this fix, particularly but not limited to compound siteaccess matchers. These have been fixed in ezsystems/ezplatform-kernel v1.0.3, and in ezsystems/ezpublish-kernel v7.5.8, v6.13.6.4, and v5.4.15.
Affected Software | Affected Version | How to fix |
---|---|---|
composer/ezsystems/ezpublish-kernel | >=5.4.0<5.4.15 | 5.4.15 |
composer/ezsystems/ezpublish-kernel | >=6.13.0<6.13.6.4 | 6.13.6.4 |
composer/ezsystems/ezpublish-kernel | >=7.5.0<7.5.8 | 7.5.8 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.