GHSA-4c2w-v5rq-5mx7: 
PHP vulnerability analysis and mitigation

The vulnerability (GHSA-4c2w-v5rq-5mx7) was identified in eZ Platform Editor, affecting multiple versions of ezsystems/ezplatform-admin-ui-assets. The issue was disclosed on October 9, 2020, with a medium severity rating. The vulnerability affects versions 4.2.0-4.2.1, 5.0.0-5.0.1, and 5.1.0-5.1.1 of the software (EZ Platform).

The vulnerability consists of two main issues: First, a Cross-Site Scripting (XSS) vulnerability in CKEditor (used by AlloyEditor within eZ Platform Admin UI) where scripts can be injected through specially crafted 'protected' comments. Second, a visibility issue where trashed drafts become visible in the Review Queue to unauthorized users. The vulnerability is tracked as CWE-79 (Cross-site Scripting) (EZ Platform).

The vulnerability allows potential script injection through the editor component, though the full exploitability in eZ Platform was not confirmed. Additionally, in the Enterprise Edition, users could gain unauthorized access to view titles and review history of trashed drafts in the Review Queue, although preview functionality remained restricted (EZ Platform).

The issues have been patched in multiple versions: ezsystems/ezplatform-admin-ui-assets v4.2.1, v5.0.1, and v5.1.1. For Enterprise Edition users, the workflow component has been patched in versions v1.1.9 (for eZ Platform EE v2.5.13) and v2.1.1 (for eZ Platform EE v3.1.2). The underlying CKEditor vulnerability was fixed in CKEditor v4.14 and AlloyEditor v2.11.9 (EZ Platform).