PT-2009-2313 · Ez Systems · Ez Publish
S4Avrd0W
·
Published
2009-07-02
·
Updated
2017-09-29
·
CVE-2008-6844
CVSS v2.0
7.5
High
| Vector | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions:
eZ Publish versions 3.5.6 and earlier
eZ Publish versions prior to 3.9.5
eZ Publish versions prior to 3.10.1
eZ Publish versions prior to 4.0.1
Description:
The issue allows remote attackers to gain privileges as other users via modified parameters in the registration view. The affected API endpoint is "/user/register". The vulnerable parameters include
ContentObjectAttribute data user login 30 and ContentObjectAttribute data user password 30.Recommendations:
For versions 3.5.6 and earlier, update to a version later than 3.5.6.
For versions prior to 3.9.5, update to version 3.9.5 or later.
For versions prior to 3.10.1, update to version 3.10.1 or later.
For versions prior to 4.0.1, update to version 4.0.1 or later.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ez Publish