GHSA-C737-JHWR-FQXJ

Vulnerability from github – Published: 2023-03-12 06:30 – Updated: 2025-03-05 13:54
VLAI?
Summary
Cross Site Scripting in eZ Platform Ibexa Kernel
Details

Impact

In file upload it is possible by certain means to upload files like .html and .js. These may contain XSS exploits which will be run when links to them are accessed by victims. Patches

Patches

The fix consists simply of adding common types of scriptable file types to the configuration of the already existing filetype blacklist feature. See "Patched versions". As such, this can also be done manually, without installing the patched versions. This may be relevant if you are currently running a considerably older version of the kernel package and don't want to upgrade it at this time. Please see the settting "ezsettings.default.io.file_storage.file_type_blacklist" at: https://github.com/ezsystems/ezplatform-kernel/blob/master/eZ/Bundle/EzPublishCoreBundle/Resources/config/default_settings.yml#L109 Important note

Important note

You should adapt this setting to your needs. Do not add file types to the blacklist that you actually need to be able to upload. For instance, if you need your editors to be able to upload SVG files, then don't blacklist that. Instead, you could e.g. use an approval workflow for such content.

Severity ?
6.1 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "ezsystems/ezpublish-kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.13.0"
            },
            {
              "fixed": "6.13.8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "ezsystems/ezpublish-kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.5.0"
            },
            {
              "fixed": "7.5.15.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "ezsystems/ezplatform-kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.2.0"
            },
            {
              "fixed": "1.2.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "ezsystems/ezplatform-kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.3.0"
            },
            {
              "fixed": "1.3.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-46875"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-13T20:57:46Z",
    "nvd_published_at": "2023-03-12T05:15:00Z",
    "severity": "MODERATE"
  },
  "details": "## Impact\n\nIn file upload it is possible by certain means to upload files like .html and .js. These may contain XSS exploits which will be run when links to them are accessed by victims.\nPatches\n\n## Patches\n\nThe fix consists simply of adding common types of scriptable file types to the configuration of the already existing filetype blacklist feature. See \"Patched versions\". As such, this can also be done manually, without installing the patched versions. This may be relevant if you are currently running a considerably older version of the kernel package and don\u0027t want to upgrade it at this time. Please see the settting \"ezsettings.default.io.file_storage.file_type_blacklist\" at:\nhttps://github.com/ezsystems/ezplatform-kernel/blob/master/eZ/Bundle/EzPublishCoreBundle/Resources/config/default_settings.yml#L109\nImportant note\n\n## Important note\n\nYou should adapt this setting to your needs. Do not add file types to the blacklist that you actually need to be able to upload. For instance, if you need your editors to be able to upload SVG files, then don\u0027t blacklist that. Instead, you could e.g. use an approval workflow for such content.",
  "id": "GHSA-c737-jhwr-fqxj",
  "modified": "2025-03-05T13:54:16Z",
  "published": "2023-03-12T06:30:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-mrvj-7q4f-5p42"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46875"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ezsystems/ezpublish-kernel/commit/29fecd2afe86f763510f10c02f14962d028f311b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ezsystems/ezpublish-kernel"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Cross Site Scripting in eZ Platform Ibexa Kernel"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.