Vulnerabilities > EZ > EZ Publish > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-01-02 | CVE-2017-1000431 | Cross-site Scripting vulnerability in EZ Publish eZ Systems eZ Publish version 5.4.0 to 5.4.9, and 5.3.12 and older, is vulnerable to an XSS issue in the search module, resulting in a risk of attackers injecting scripts which may e.g. | 4.3 |
| 2012-07-25 | CVE-2012-4053 | Cross-Site Request Forgery (CSRF) vulnerability in EZ Publish 4.1.0/4.2.0/4.3.0 Cross-site request forgery (CSRF) vulnerability in eZOE flash player in eZ Publish 4.1 through 4.6 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. | 6.8 |
| 2010-07-08 | CVE-2010-2671 | Cross-Site Scripting vulnerability in EZ Publish Cross-site scripting (XSS) vulnerability in advancedsearch.php in eZ Publish 3.7.0 through 4.2.0 allows remote attackers to inject arbitrary web script or HTML via the subTreeItem parameter. | 4.3 |
| 2007-08-23 | CVE-2007-4494 | Unspecified vulnerability in EZ Publish The tipafriend function in eZ publish before 3.8.9, and 3.9 before 3.9.3, does not limit access by anonymous users, which allows remote attackers to conduct spam attacks. | 5.0 |
| 2007-07-06 | CVE-2006-7219 | Permissions, Privileges, and Access Controls vulnerability in EZ Publish eZ publish before 3.8.5 does not properly enforce permissions for editing in a specific language, which allows remote authenticated users to create a draft in an unauthorized language by editing an archived version of an object, and then using Manage Versions to copy this version to a new draft. | 4.0 |
| 2007-07-06 | CVE-2006-7218 | Permissions, Privileges, and Access Controls vulnerability in EZ Publish eZ publish before 3.8.1 does not properly enforce permissions for "content edit Language" when there are four or more languages, which allows remote authenticated users to perform translations into languages that are not listed in a Module Function Limitation policy. | 4.0 |
| 2006-03-01 | CVE-2006-0938 | Cross-Site Scripting vulnerability in EZ Publish Cross-site scripting (XSS) vulnerability in eZ publish 3.7.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the RefererURL parameter. | 4.3 |
| 2005-12-31 | CVE-2005-4857 | Resource Management Errors vulnerability in EZ Publish eZ publish 3.5 before 3.5.7, 3.6 before 3.6.5, 3.7 before 3.7.3, and 3.8 before 20051128 allows remote authenticated users to cause a denial of service (Apache httpd segmentation fault) via a request to content/advancedsearch.php with an empty SearchContentClassID parameter, reportedly related to a "memory addressing error". | 4.0 |
| 2005-12-31 | CVE-2005-4856 | Data Processing Errors vulnerability in EZ Publish The admin interface in eZ publish 3.5 before 3.5.7, 3.6 before 3.6.5, 3.7 before 3.7.3, and 3.8 before 20051110 does not properly handle authorization errors, which allows remote attackers to obtain sensitive information and see the admin pagelayout and associated templates via a request with (1) "anything after the url" or (2) a "wrong url". | 5.0 |
| 2005-12-31 | CVE-2005-4854 | Permissions, Privileges, and Access Controls vulnerability in EZ Publish eZ publish 3.5 through 3.7 before 20050830 does not use a folder's read permissions to restrict notifications, which allows remote authenticated users to obtain sensitive information about changes to content in arbitrary folders. | 5.0 |