Vulnerabilities > EZ

DATE CVE VULNERABILITY TITLE RISK
2020-03-22 CVE-2020-10806 Unrestricted Upload of File With Dangerous Type vulnerability in EZ Publish-Kernel and EZ Publish-Legacy
eZ Publish Kernel before 5.4.14.1, 6.x before 6.13.6.2, and 7.x before 7.5.6.2 and eZ Publish Legacy before 5.4.14.1, 2017 before 2017.12.7.2, and 2019 before 2019.03.4.2 allow remote attackers to execute arbitrary code by uploading PHP code, unless the vhost configuration permits only app.php execution.
network
low complexity
ez CWE-434
7.5
2019-05-16 CVE-2019-12139 Cross-Site Scripting vulnerability in EZ Ezplatform-Admin-Ui and Ezplatform-Page-Builder
An XSS issue was discovered in the Admin UI in eZ Platform 2.x.
network
ez CWE-79
4.3
2018-01-02 CVE-2017-1000431 Cross-Site Scripting vulnerability in EZ Publish
eZ Systems eZ Publish version 5.4.0 to 5.4.9, and 5.3.12 and older, is vulnerable to an XSS issue in the search module, resulting in a risk of attackers injecting scripts which may e.g.
network
ez CWE-79
4.3
2012-10-06 CVE-2012-1565 Security vulnerability in eZ Publish
Unspecified vulnerability in ez Publish 4.1.4, 4.2, 4.3, 4.4, 4.5, and 4.6 has unknown impact and attack vectors related to an insecure direct object reference.
network
low complexity
ez
7.5
2012-08-17 CVE-2012-1597 Cross-Site Scripting vulnerability in EZ Ezjscore 1.0
Cross-site scripting (XSS) vulnerability in the textEncode function in classes/ezjscajaxcontent.php in eZ JS Core in eZ Publish before 1.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
network
high complexity
ez CWE-79
2.6
2012-07-25 CVE-2012-4053 Cross-Site Request Forgery (CSRF) vulnerability in EZ Publish 4.1.0/4.2.0/4.3.0
Cross-site request forgery (CSRF) vulnerability in eZOE flash player in eZ Publish 4.1 through 4.6 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
network
ez CWE-352
6.8
2010-07-08 CVE-2010-2672 SQL Injection vulnerability in EZ Publish
Multiple SQL injection vulnerabilities in eZ Publish 3.7.0 through 4.2.0 allow remote attackers to execute arbitrary SQL commands via the (1) SectionID and (2) SearchTimestamp parameters to the search feature and the (3) SearchContentClassAttributeID parameter to the advancedsearch feature.
network
low complexity
ez CWE-89
7.5
2010-07-08 CVE-2010-2671 Cross-Site Scripting vulnerability in EZ Publish
Cross-site scripting (XSS) vulnerability in advancedsearch.php in eZ Publish 3.7.0 through 4.2.0 allows remote attackers to inject arbitrary web script or HTML via the subTreeItem parameter.
network
ez CWE-79
4.3
2009-07-02 CVE-2008-6844 Permissions, Privileges, and Access Controls vulnerability in EZ Publish
The registration view (/user/register) in eZ Publish 3.5.6 and earlier, and possibly other versions before 3.9.5, 3.10.1, and 4.0.1, allows remote attackers to gain privileges as other users via modified ContentObjectAttribute_data_user_login_30, ContentObjectAttribute_data_user_password_30, and other parameters.
network
low complexity
ez CWE-264
7.5
2007-08-23 CVE-2007-4494 Unspecified vulnerability in EZ Publish
The tipafriend function in eZ publish before 3.8.9, and 3.9 before 3.9.3, does not limit access by anonymous users, which allows remote attackers to conduct spam attacks.
network
low complexity
ez
5.0