Home > Vulnerability Database > WS-2020-0178

Mend.io Vulnerability Database

WS-2020-0178

Good to know:

Date: October 6, 2020

Object Injection was found in legacy shop module (ezsystems/ezpublish-legacy) before versions v2019.03.5.1, v2017.12.7.3, and v5.4.14.2. A backend editor could perform object injection in discount rules. This would require backend access and permission to edit discount rules. While object injection in itself is a serious vulnerability, the permission requirement means that normally only administrators would be able to exploit it, that's why we've classified it as Medium severity.

Language: PHP

Severity Score

6.6

Related Resources (2)

Url: https://ezplatform.com/security-advisories/ibexa-sa-2020-006-object-injection-in-legacy-shop-module

Url: https://www.mend.io/vulnerability-database/WS-2020-0178

Severity Score

6.6

Weakness Type (CWE)

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-74

Top Fix

Upgrade Version

Upgrade to version ezsystems/ezpublish-legacy - v2017.12.7.3;ezsystems/ezpublish-legacy - v2019.03.5.1

Learn More

CVSS v3.1

Base Score:	6.6
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

WS-2020-0178

Good to know:

Date: October 6, 2020

Language: PHP

Severity Score

Related Resources (2)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?