Vulnerability DatabaseGHSA-q73v-79x3-jv2w

GHSA-q73v-79x3-jv2w:
PHP vulnerability analysis and mitigation

Overview

A high severity Cross-site Scripting (XSS) vulnerability was identified in eZ Platform Admin UI, tracked as EZSA-2019-001. The vulnerability was discovered on March 12, 2019, affecting eZ Platform 2.x systems, specifically ezsystems/ezplatform-admin-ui versions 1.3.x and 1.4.x, and ezsystems/ezplatform-page-builder versions 1.1.x and 1.2.x (GitHub Advisory).

Technical details

Parts of the Admin UI were found to be vulnerable to XSS injection attacks, particularly affecting systems that allow user-generated content. The vulnerability stemmed from insufficient escaping of injected code in the Admin UI interface (EZ Security Advisory).

Impact

The vulnerability posed a significant risk to all eZ Platform 2.x sites, with systems allowing user-generated content being particularly vulnerable. The XSS vulnerability could potentially allow attackers to inject malicious code through the Admin UI (GitHub Advisory).

Mitigation and workarounds

The vulnerability was patched in ezsystems/ezplatform-admin-ui versions 1.3.5 and 1.4.4, and ezsystems/ezplatform-page-builder versions 1.1.5 and 1.2.4. The update added necessary escaping of injected code, resolving the issue for both existing injected code and preventing future injection attempts. Users were advised to update using Composer to the patched versions (GitHub Advisory).