We found results for “”
WS-2020-0178
Good to know:
Date: October 6, 2020
Object Injection was found in legacy shop module (ezsystems/ezpublish-legacy) before versions v2019.03.5.1, v2017.12.7.3, and v5.4.14.2. A backend editor could perform object injection in discount rules. This would require backend access and permission to edit discount rules. While object injection in itself is a serious vulnerability, the permission requirement means that normally only administrators would be able to exploit it, that's why we've classified it as Medium severity.
Language: PHP
Severity Score
Severity Score
Weakness Type (CWE)
Injection
CWE-74Top Fix
CVSS v3.1
Base Score: |
|
---|---|
Attack Vector (AV): | NETWORK |
Attack Complexity (AC): | HIGH |
Privileges Required (PR): | HIGH |
User Interaction (UI): | NONE |
Scope (S): | UNCHANGED |
Confidentiality (C): | HIGH |
Integrity (I): | HIGH |
Availability (A): | HIGH |