CVE-2020-10806: 
PHP vulnerability analysis and mitigation

CVE-2020-10806 is a remote code execution vulnerability affecting eZ Publish Kernel (versions before 5.4.14.1, 6.x before 6.13.6.2, and 7.x before 7.5.6.2) and eZ Publish Legacy (versions before 5.4.14.1, 2017 before 2017.12.7.2, and 2019 before 2019.03.4.2). The vulnerability was discovered in March 2020 and allows remote attackers to execute arbitrary code by uploading PHP code, unless specific vhost configuration restrictions are in place (NVD).

The vulnerability stems from improper handling of file uploads in eZ Platform and eZ Publish Legacy systems. The issue can lead to remote code execution if the system's vhost configuration allows execution of uploaded PHP files. The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a highly severe security risk with network accessibility and no required privileges or user interaction (NVD).

If exploited, this vulnerability allows attackers to execute arbitrary code on the affected systems. The impact is particularly severe as it could lead to complete system compromise, allowing attackers to access, modify, or delete sensitive data, and potentially gain control of the affected server (Vendor Advisory).

The vendor has released patched versions: eZ Publish Kernel v7.5.6.2, v6.13.6.2, v5.4.14.1, and eZ Publish Legacy v2019.03.4.2, v2017.12.7.2, v5.4.14.1. The fix includes a blacklist feature for uploaded filenames that blocks potentially dangerous file types including .php, .php3, .phar, .phpt, .pht, .phtml, and .pgif. Additionally, implementing the recommended vhost configuration provides an additional layer of security (Vendor Advisory).