Skip to content

Cross-site scripting in eZ Platform Kernel

High severity GitHub Reviewed Published Mar 17, 2021 in ezsystems/ezpublish-kernel • Updated Jan 9, 2023

Package

composer ezsystems/ezplatform-kernel (Composer)

Affected versions

<= 1.2.5
>= 1.3.0, <= 1.3.1

Patched versions

1.2.5.1
1.3.1.1
composer ezsystems/ezpublish-kernel (Composer)
<= 6.13.8.1
>= 7.0.0, <= 7.5.15.1
6.13.8.2
7.5.15.2

Description

Impact

In file upload it is possible by certain means to upload files like .html and .js. These may contain XSS exploits which will be run when links to them are accessed by victims.

Patches

The fix consists simply of adding common types of scriptable file types to the configuration of the already existing filetype blacklist feature. See "Patched versions". As such, this can also be done manually, without installing the patched versions. This may be relevant if you are currently running a considerably older version of the kernel package and don't want to upgrade it at this time. Please see the settting "ezsettings.default.io.file_storage.file_type_blacklist" at:
https://github.com/ezsystems/ezplatform-kernel/blob/master/eZ/Bundle/EzPublishCoreBundle/Resources/config/default_settings.yml#L109

Important note

You should adapt this setting to your needs. Do not add file types to the blacklist that you actually need to be able to upload. For instance, if you need your editors to be able to upload SVG files, then don't blacklist that. Instead, you could e.g. use an approval workflow for such content.

References

@glye glye published to ezsystems/ezpublish-kernel Mar 17, 2021
Reviewed Mar 19, 2021
Published to the GitHub Advisory Database Mar 19, 2021
Last updated Jan 9, 2023

Severity

High

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-mrvj-7q4f-5p42

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.