CVE-2020-10806

Published: Mar 22, 2020Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

eZ Publish Kernel before 5.4.14.1, 6.x before 6.13.6.2, and 7.x before 7.5.6.2 and eZ Publish Legacy before 5.4.14.1, 2017 before 2017.12.7.2, and 2019 before 2019.03.4.2 allow remote attackers to execute arbitrary code by uploading PHP code, unless the vhost configuration permits only app.php execution.

Affected (6)

Products: Ez: Ez Publish Kernel, Ez Publish Legacy

2 products

Ez Publish Kernel

Ez Publish Legacy

Configuration A

6 vulnerable

Vulnerable Software	Affected Versions
Ez Ez Publish Kernel	Before 5.4.14.1
Ez Ez Publish Kernel	From 6.0.0 to 6.13.6.2
Ez Ez Publish Kernel	From 7.0.0 to 7.5.6.2
Ez Ez Publish Legacy	Before 5.4.14.1
Ez Ez Publish Legacy	From 2017.0 to 2017.12.7.2
Ez Ez Publish Legacy	From 2019.0 to 2019.03.4.2

Related CWEs

CWE-434

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (2)

https://ezplatform.com/security-advisories/ezsa-2020-001-remote-code-execution-in-file-uploads

Source: cve@mitre.org

Vendor Advisory

https://ezplatform.com/security-advisories/ezsa-2020-001-remote-code-execution-in-file-uploads

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.