Skip to content

ezplatform-admin-ui vulnerable to Cross-Site Scripting (XSS)

Critical severity GitHub Reviewed Published Nov 10, 2022 in ezsystems/ezplatform-admin-ui • Updated Jan 7, 2023

Package

composer ezsystems/ezplatform-admin-ui (Composer)

Affected versions

>= 2.3.0, < 2.3.26

Patched versions

2.3.26

Description

It is possible to inject JavaScript XSS in the content type entries "name" and "short name". To exploit this, one must already have permission to edit content types, which limits it in many cases to people who are already administrators. However, please verify which users have this permission. The fix ensures any injections are escaped.

References

@glye glye published to ezsystems/ezplatform-admin-ui Nov 10, 2022
Published to the GitHub Advisory Database Nov 10, 2022
Reviewed Nov 10, 2022
Last updated Jan 7, 2023

Severity

Critical

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-58h5-h554-429q

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.