Name of the Vulnerable Software and Affected Versions: eZ Platform versions 1.13.x through 3.1.2 eZ Platform EE versions 2.5.13 through 3.1.2 CKEditor versions prior to 4.14 AlloyEditor versions prior to 2.11.9

Description: There are two security issues of low to medium severity. The first issue is an XSS vulnerability in CKEditor, which is used by AlloyEditor in the eZ Platform Admin UI. This vulnerability allows scripts to be injected through specially crafted "protected" comments. Although it is uncertain if this vulnerability is exploitable in eZ Platform, it is recommended to install the update as a precaution. The second issue affects the Enterprise Edition of eZ Platform, where drafts sent to trash become visible in the Review Queue, allowing users to see their title and review history, even if they were not able to see them before.

Recommendations: For eZ Platform v1.13.x: update ezsystems/PlatformUIAssetsBundle to v4.2.3. For eZ Platform v2.5.13: update ezsystems/ezplatform-admin-ui-assets to v4.2.1. For eZ Platform v3.0.*: update ezsystems/ezplatform-admin-ui-assets to v5.0.1. For eZ Platform v3.1.2: update ezsystems/ezplatform-admin-ui-assets to v5.1.1. For eZ Platform EE v2.5.13: update ezsystems/ezplatform-workflow to v1.1.9. For eZ Platform EE v3.1.2: update ezsystems/ezplatform-workflow to v2.1.1.