Ez

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-10806 1Ez 2Ez Publish Kernel Ez Publish Legacy Nov 21, 2024 Mar 22, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 eZ Publish Kernel before 5.4.14.1, 6.x before 6.13.6.2, and 7.x before 7.5.6.2 and eZ Publish Legacy before 5.4.14.1, 2017 before 2017.12.7.2, and 2019 before 2019.03.4.2 allow remote attackers to execute arbitrary code...Show more eZ Publish Kernel before 5.4.14.1, 6.x before 6.13.6.2, and 7.x before 7.5.6.2 and eZ Publish Legacy before 5.4.14.1, 2017 before 2017.12.7.2, and 2019 before 2019.03.4.2 allow remote attackers to execute arbitrary code by uploading PHP code, unless the vhost configuration permits only app.php execution.Show less
CVE-2019-12139 1Ez 2Ezplatform Admin Ui Ezplatform Page Builder Nov 21, 2024 May 16, 2019 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 An XSS issue was discovered in the Admin UI in eZ Platform 2.x. This affects ezplatform-admin-ui 1.3.x before 1.3.5 and 1.4.x before 1.4.4, and ezplatform-page-builder 1.1.x before 1.1.5 and 1.2.x before 1.2.4.
CVE-2017-1000431 1Ez 1Ez Publish Nov 21, 2024 Jan 2, 2018 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 eZ Systems eZ Publish version 5.4.0 to 5.4.9, and 5.3.12 and older, is vulnerable to an XSS issue in the search module, resulting in a risk of attackers injecting scripts which may e.g. steal authentication credentials.
CVE-2012-1565 1Ez 1Ez Publish Apr 29, 2026 Oct 6, 2012 N/A· v4 N/A· v3 7.5 HIGH· v2 Unspecified vulnerability in ez Publish 4.1.4, 4.2, 4.3, 4.4, 4.5, and 4.6 has unknown impact and attack vectors related to an insecure direct object reference.
CVE-2012-1597 1Ez 1Ezjscore Apr 29, 2026 Aug 17, 2012 N/A· v4 N/A· v3 2.6 LOW· v2 Cross-site scripting (XSS) vulnerability in the textEncode function in classes/ezjscajaxcontent.php in eZ JS Core in eZ Publish before 1.5 allows remote attackers to inject arbitrary web script or HTML via unspecified ve...Show more Cross-site scripting (XSS) vulnerability in the textEncode function in classes/ezjscajaxcontent.php in eZ JS Core in eZ Publish before 1.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.Show less
CVE-2012-4053 1Ez 1Ez Publish Apr 29, 2026 Jul 25, 2012 N/A· v4 N/A· v3 6.8 MEDIUM· v2 Cross-site request forgery (CSRF) vulnerability in eZOE flash player in eZ Publish 4.1 through 4.6 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
CVE-2010-2672 1Ez 1Ez Publish Apr 29, 2026 Jul 8, 2010 N/A· v4 N/A· v3 7.5 HIGH· v2 Multiple SQL injection vulnerabilities in eZ Publish 3.7.0 through 4.2.0 allow remote attackers to execute arbitrary SQL commands via the (1) SectionID and (2) SearchTimestamp parameters to the search feature and the (3)...Show more Multiple SQL injection vulnerabilities in eZ Publish 3.7.0 through 4.2.0 allow remote attackers to execute arbitrary SQL commands via the (1) SectionID and (2) SearchTimestamp parameters to the search feature and the (3) SearchContentClassAttributeID parameter to the advancedsearch feature.Show less
CVE-2010-2671 1Ez 1Ez Publish Apr 29, 2026 Jul 8, 2010 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in advancedsearch.php in eZ Publish 3.7.0 through 4.2.0 allows remote attackers to inject arbitrary web script or HTML via the subTreeItem parameter.
CVE-2008-6844 1Ez 1Ez Publish Apr 23, 2026 Jul 2, 2009 N/A· v4 N/A· v3 7.5 HIGH· v2 The registration view (/user/register) in eZ Publish 3.5.6 and earlier, and possibly other versions before 3.9.5, 3.10.1, and 4.0.1, allows remote attackers to gain privileges as other users via modified ContentObjectAtt...Show more The registration view (/user/register) in eZ Publish 3.5.6 and earlier, and possibly other versions before 3.9.5, 3.10.1, and 4.0.1, allows remote attackers to gain privileges as other users via modified ContentObjectAttribute_data_user_login_30, ContentObjectAttribute_data_user_password_30, and other parameters.Show less
CVE-2007-4494 1Ez 1Ez Publish Apr 23, 2026 Aug 23, 2007 N/A· v4 N/A· v3 5.0 MEDIUM· v2 The tipafriend function in eZ publish before 3.8.9, and 3.9 before 3.9.3, does not limit access by anonymous users, which allows remote attackers to conduct spam attacks.
CVE-2007-4493 1Ez 1Ez Publish Apr 23, 2026 Aug 23, 2007 N/A· v4 N/A· v3 10.0 HIGH· v2 eZ publish before 3.8.9, and 3.9 before 3.9.3, does not properly check permissions on module views that lack a policy function, which has unknown impact and attack vectors, as demonstrated by a vulnerability in the disco...Show more eZ publish before 3.8.9, and 3.9 before 3.9.3, does not properly check permissions on module views that lack a policy function, which has unknown impact and attack vectors, as demonstrated by a vulnerability in the discount functionality in the shop module.Show less
CVE-2006-7219 1Ez 1Ez Publish Apr 23, 2026 Jul 6, 2007 N/A· v4 N/A· v3 4.0 MEDIUM· v2 eZ publish before 3.8.5 does not properly enforce permissions for editing in a specific language, which allows remote authenticated users to create a draft in an unauthorized language by editing an archived version of an...Show more eZ publish before 3.8.5 does not properly enforce permissions for editing in a specific language, which allows remote authenticated users to create a draft in an unauthorized language by editing an archived version of an object, and then using Manage Versions to copy this version to a new draft.Show less
CVE-2006-7218 1Ez 1Ez Publish Apr 23, 2026 Jul 6, 2007 N/A· v4 N/A· v3 4.0 MEDIUM· v2 eZ publish before 3.8.1 does not properly enforce permissions for "content edit Language" when there are four or more languages, which allows remote authenticated users to perform translations into languages that are not...Show more eZ publish before 3.8.1 does not properly enforce permissions for "content edit Language" when there are four or more languages, which allows remote authenticated users to perform translations into languages that are not listed in a Module Function Limitation policy.Show less
CVE-2006-0938 1Ez 1Ez Publish Apr 16, 2026 Mar 1, 2006 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in eZ publish 3.7.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the RefererURL parameter.
CVE-2005-4857 1Ez 1Ez Publish Apr 16, 2026 Dec 31, 2005 N/A· v4 N/A· v3 4.0 MEDIUM· v2 eZ publish 3.5 before 3.5.7, 3.6 before 3.6.5, 3.7 before 3.7.3, and 3.8 before 20051128 allows remote authenticated users to cause a denial of service (Apache httpd segmentation fault) via a request to content/advanceds...Show more eZ publish 3.5 before 3.5.7, 3.6 before 3.6.5, 3.7 before 3.7.3, and 3.8 before 20051128 allows remote authenticated users to cause a denial of service (Apache httpd segmentation fault) via a request to content/advancedsearch.php with an empty SearchContentClassID parameter, reportedly related to a "memory addressing error".Show less
CVE-2005-4856 1Ez 1Ez Publish Apr 16, 2026 Dec 31, 2005 N/A· v4 N/A· v3 5.0 MEDIUM· v2 The admin interface in eZ publish 3.5 before 3.5.7, 3.6 before 3.6.5, 3.7 before 3.7.3, and 3.8 before 20051110 does not properly handle authorization errors, which allows remote attackers to obtain sensitive information...Show more The admin interface in eZ publish 3.5 before 3.5.7, 3.6 before 3.6.5, 3.7 before 3.7.3, and 3.8 before 20051110 does not properly handle authorization errors, which allows remote attackers to obtain sensitive information and see the admin pagelayout and associated templates via a request with (1) "anything after the url" or (2) a "wrong url".Show less
CVE-2005-4855 1Ez 1Ez Publish Apr 16, 2026 Dec 31, 2005 N/A· v4 N/A· v3 3.5 LOW· v2 Unrestricted file upload vulnerability in eZ publish 3.5 before 3.5.5, 3.6 before 3.6.2, 3.7 before 3.7.0rc2, and 3.8 before 20050922 does not restrict Image datatype uploads to image content types, which allows remote a...Show more Unrestricted file upload vulnerability in eZ publish 3.5 before 3.5.5, 3.6 before 3.6.2, 3.7 before 3.7.0rc2, and 3.8 before 20050922 does not restrict Image datatype uploads to image content types, which allows remote authenticated users to upload certain types of files, as demonstrated by .js files, which may enable cross-site scripting (XSS) attacks or other attacks.Show less
CVE-2005-4854 1Ez 1Ez Publish Apr 16, 2026 Dec 31, 2005 N/A· v4 N/A· v3 5.0 MEDIUM· v2 eZ publish 3.5 through 3.7 before 20050830 does not use a folder's read permissions to restrict notifications, which allows remote authenticated users to obtain sensitive information about changes to content in arbitrary...Show more eZ publish 3.5 through 3.7 before 20050830 does not use a folder's read permissions to restrict notifications, which allows remote authenticated users to obtain sensitive information about changes to content in arbitrary folders.Show less
CVE-2005-4853 1Ez 1Ez Publish Apr 16, 2026 Dec 31, 2005 N/A· v4 N/A· v3 9.4 HIGH· v2 The default configuration of the forum package in eZ publish 3.5 before 3.5.5, 3.6 before 3.6.2, 3.7 before 3.7.0rc2, and 3.8 before 20050818 does not restrict edit permissions to a posting's owner, which allows remote a...Show more The default configuration of the forum package in eZ publish 3.5 before 3.5.5, 3.6 before 3.6.2, 3.7 before 3.7.0rc2, and 3.8 before 20050818 does not restrict edit permissions to a posting's owner, which allows remote authenticated users to edit arbitrary postings.Show less
CVE-2005-4852 1Ez 1Ez Publish Apr 16, 2026 Dec 31, 2005 N/A· v4 N/A· v3 5.0 MEDIUM· v2 The siteaccess URIMatching implementation in eZ publish 3.5 through 3.8 before 20050812 converts all non-alphanumeric characters in a URI to '_' (underscore), which allows remote attackers to bypass access restrictions b...Show more The siteaccess URIMatching implementation in eZ publish 3.5 through 3.8 before 20050812 converts all non-alphanumeric characters in a URI to '_' (underscore), which allows remote attackers to bypass access restrictions by inserting certain characters in a URI, as demonstrated by a request for /admin:de, which matches a rule allowing only /admin_de to access /admin.Show less

12 Next