CVE-2010-2672

Name of the Vulnerable Software and Affected Versions eZ Publish versions 3.7.0 through 4.2.0

Description The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the SectionID and SearchTimestamp parameters to the "search" feature and the SearchContentClassAttributeID parameter to the "advancedsearch" feature.

Recommendations For versions 3.7.0 through 4.2.0, consider restricting access to the search and advanced search features until a fix is available. As a temporary workaround, avoid using the SectionID, SearchTimestamp, and SearchContentClassAttributeID parameters in the affected features.